Igor, to cut things short - I'd like to either pass the PHP scripts' execution to the fcgi processes or prevent them from being downloaded.

In addition, I tried to prevent PHP scripts in common webserver-writeable directories (of course, this list will be extended) from being executed in order not to allow user-provided PHP files to be passed to php-fpm:

if ($uri ~* \/(images?|system|download|upload|cache|logs?)\/(.*\/)?[0-9a-z]+\.php$) {
return 404;
}

I set this rule: "location ~ \/[0-9a-zA-Z]+\.php$" in order to evaluate only PHP files with alphanumeric names as these are the only one valid from my perspective. Of course the rule may be improved (not allowing a script beginning with a number to be evaluated), but I don't think that this is necessary at this point.

"location ~ (/\.|.*conf.*\.php)" - in order to prevent hidden and configuration files from being exposed.

I hope I didn't do anything stupid, I'm open to suggestions :)

Edho, thank you for your advice, clearing the browser cache did the trick, but still - I'd like to prevent that happening again by somehow guarding the PHP scripts from being downloaded because of some configuration error, for example.