diff --git a/roles/float-infra-nginx/templates/config/snippets/site-common.conf b/roles/float-infra-nginx/templates/config/snippets/site-common.conf
index 905d18bd840123c4441850733c8c3e02a203f0f7..a3d67645d3e15ecbd2a9136b4e2e1b58de39093c 100644
--- a/roles/float-infra-nginx/templates/config/snippets/site-common.conf
+++ b/roles/float-infra-nginx/templates/config/snippets/site-common.conf
@@ -57,6 +57,11 @@ location = /metrics {
 	return 403;
 }
 
+# Block external access to Golang /debug handlers.
+location /debug/ {
+	return 403;
+}
+
 # Add services that handle well-known URLs.
 {% for service_name, service in services | dictsort %}
 {% for ep in service.get('horizontal_endpoints', []) %}