diff --git a/coraza-spoa/overrides.conf b/coraza-spoa/overrides.conf
index ebc2022..f278298 100644
--- a/coraza-spoa/overrides.conf
+++ b/coraza-spoa/overrides.conf
@@ -57,12 +57,41 @@ SecRuleUpdateActionById 933170-933200 "ctl:ruleEngine=On"
 # ---------------------------------------------------------------------------
 SecRuleUpdateActionById 944100-944300 "ctl:ruleEngine=On"
 
+# ---------------------------------------------------------------------------
+# 920440 — URL file extension restricted by policy
+# Catches probes for backup / config / dump files: .bak, .old, .save,
+# .swp, .sql, .dist, .backup. Promoted to enforce after empirical
+# observation on whp01 (2026-05-12, first ~30 min of detect-only):
+# 124 events, all backup-file recon — `/wp-config.php.old`,
+# `/db_backup.sql`, `/.env.save`, `/releases.sql`, etc. — from a
+# single GCP-hosted scanner. Zero false positives observed; standard
+# WP/WooCommerce/Divi/HPR URLs do not end in these extensions.
+# ---------------------------------------------------------------------------
+SecRuleUpdateActionById 920440 "ctl:ruleEngine=On"
+
+# ---------------------------------------------------------------------------
+# 930130 — Restricted File Access Attempt
+# Catches dotfile / VCS / config-disclosure probes: .env (and .env.local /
+# .env.bak / .env.save variants), .git/config, config.php at root or under
+# /admin /backend, etc. Distinct from 930120 (system file paths like
+# /etc/passwd); this targets application secret files.
+#
+# Promoted to enforce on the same observation pass that justified 920440:
+# 117 events split across joshuaknapp.net (136), cgdannyb.com (51),
+# onlinesupplements.net (23) — all `.env`-class disclosure probes.
+# Zero false positives observed. Notably, HPR's `/ccdn.php?filename=...`
+# audio delivery path does NOT trigger this rule — verified empirically.
+# ---------------------------------------------------------------------------
+SecRuleUpdateActionById 930130 "ctl:ruleEngine=On"
+
 # ---------------------------------------------------------------------------
 # Rule families intentionally kept at DETECT-ONLY for v1 — high FP rate
 # on customer mix. Promote individually after observation:
 #
 #   941xxx (XSS)        — Divi rich-text editor saves, TinyMCE submissions
 #   942xxx (SQLi)       — WP admin queries reflected in params
-#   920xxx (Protocol)   — Cloudflare-in-front sometimes injects odd headers
+#   920xxx (other)      — most 920xxx rules; 920440 specifically promoted above
+#   933150              — PHP injection FP on WooCommerce checkout
+#                         (`session_start` literal appearing in billing form data)
 #   950xxx-953xxx       — Data leakage / backup-file disclosure (mixed FP)
 # ---------------------------------------------------------------------------