diff --git a/.htaccess b/.htaccess
index 83063ae2e..098c58244 100644
--- a/.htaccess
+++ b/.htaccess
@@ -59,9 +59,9 @@ RewriteRule .* index.php [L]
 # Block all direct access for these folders
 RewriteRule ^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F]
 # Block access to specific file types for these system folders
-RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
+RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
 # Block access to specific file types for these user folders
-RewriteRule ^(user)/(.*)\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
+RewriteRule ^(user)/(.*)\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
 # Block all direct access to .md files:
 RewriteRule \.md$ error [F]
 # Block all direct access to files and folders beginning with a dot
diff --git a/CHANGELOG.md b/CHANGELOG.md
index dc2dbf843..e5202a383 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@
 3. [](#bugfix)
    * Fixed bad key lookup in `FlexRelatedDirectoryTrait::getCollectionByProperty()`
    * Fixed RequestHandlers `NotFoundException` having empty request
+   * Block `.json` files in web server configs
 
 # v1.7.25
 ## 11/16/2021
diff --git a/webserver-configs/htaccess.txt b/webserver-configs/htaccess.txt
index 83063ae2e..098c58244 100644
--- a/webserver-configs/htaccess.txt
+++ b/webserver-configs/htaccess.txt
@@ -59,9 +59,9 @@ RewriteRule .* index.php [L]
 # Block all direct access for these folders
 RewriteRule ^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F]
 # Block access to specific file types for these system folders
-RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
+RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
 # Block access to specific file types for these user folders
-RewriteRule ^(user)/(.*)\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
+RewriteRule ^(user)/(.*)\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
 # Block all direct access to .md files:
 RewriteRule \.md$ error [F]
 # Block all direct access to files and folders beginning with a dot
diff --git a/webserver-configs/lighttpd.conf b/webserver-configs/lighttpd.conf
index 512362fd1..f14c5a8b9 100644
--- a/webserver-configs/lighttpd.conf
+++ b/webserver-configs/lighttpd.conf
@@ -33,7 +33,7 @@ $HTTP["url"] =~ "^/grav_path/(LICENSE\.txt|composer\.json|composer\.lock|nginx\.
 $HTTP["url"] =~ "^/grav_path/(\.git|cache|bin|logs|backup|tests)/(.*)" {
     url.access-deny = ("")
 }
-$HTTP["url"] =~ "^/grav_path/(system|user|vendor)/(.*)\.(txt|md|html|yaml|yml|php|twig|sh|bat)$" {
+$HTTP["url"] =~ "^/grav_path/(system|user|vendor)/(.*)\.(txt|md|html|json|yaml|yml|php|twig|sh|bat)$" {
     url.access-deny = ("")
 }
 $HTTP["url"] =~ "^/grav_path/(\.(.*))" {
diff --git a/webserver-configs/nginx.conf b/webserver-configs/nginx.conf
index bbca7d32d..fc7d06b49 100644
--- a/webserver-configs/nginx.conf
+++ b/webserver-configs/nginx.conf
@@ -20,9 +20,9 @@ server {
     # deny all direct access for these folders
     location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
     # deny running scripts inside core system folders
-    location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    location ~* /(system|vendor)/.*\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
     # deny running scripts inside user folder
-    location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    location ~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
     # deny access to specific files in the root folder
     location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
     ## End - Security
diff --git a/webserver-configs/web.config b/webserver-configs/web.config
index 892ce9282..1c351a3b3 100644
--- a/webserver-configs/web.config
+++ b/webserver-configs/web.config
@@ -18,7 +18,7 @@
                     <action type="Rewrite" url="index.php" />
                 </rule>
                 <rule name="user_error_redirect" stopProcessing="true">
-                    <match url="^(user)/(.*)\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$" ignoreCase="false" />
+                    <match url="^(user)/(.*)\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$" ignoreCase="false" />
                     <action type="Redirect" url="error" redirectType="Permanent" />
                 </rule>
                 <rule name="ignore_folders" stopProcessing="true">
@@ -26,11 +26,11 @@
                     <action type="Redirect" url="error" redirectType="Permanent" />
                 </rule>
                 <rule name="system" stopProcessing="true">
-                    <match url="^system/(.*)\.(txt|md|html|yaml|yml|php|twig|sh|bat)$" ignoreCase="false" />
+                    <match url="^system/(.*)\.(txt|md|html|json|yaml|yml|php|twig|sh|bat)$" ignoreCase="false" />
                     <action type="Redirect" url="error" redirectType="Permanent" />
                 </rule>
                 <rule name="vendor" stopProcessing="true">
-                    <match url="^vendor/(.*)\.(txt|md|html|yaml|yml|php|twig|sh|bat)$" ignoreCase="false" />
+                    <match url="^vendor/(.*)\.(txt|md|html|json|yaml|yml|php|twig|sh|bat)$" ignoreCase="false" />
                     <action type="Redirect" url="error" redirectType="Permanent" />
                 </rule>
             </rules>