diff --git a/site-config.conf b/site-config.conf
index 99684a0..58cd7bd 100644
--- a/site-config.conf
+++ b/site-config.conf
@@ -17,17 +17,24 @@ server {
     ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem;
     include snippets/ssl.conf;
 
+    # Check for banned IPs
+    if ($is_banned) {
+        rewrite ^ @banned last;
+    }
+
+    # Banned location handler
+    location @banned {
+        internal;
+        add_header Content-Type text/plain;
+        return 403 "403 Forbidden (IP temporarily banned)\n";
+    }
+
     # Default error page config
     include snippets/error-pages.conf;
 
     # Apply general rate limit
     limit_req zone=general burst=100 nodelay;
 
-    # Check for banned IPs
-    if ($is_banned) {
-        rewrite ^ @banned last;
-    }
-
     # Content Security Policy (needs to be per-domain)
     add_header Content-Security-Policy "default-src 'self' *.$DOMAIN; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.$DOMAIN; style-src 'self' 'unsafe-inline' *.$DOMAIN; img-src 'self' data: *.$DOMAIN; font-src 'self' data: *.$DOMAIN; connect-src 'self' *.$DOMAIN; frame-src 'self' *.$DOMAIN; media-src 'self' *.$DOMAIN; object-src 'none'; base-uri 'self'; form-action 'self' *.$DOMAIN" always;
 
@@ -40,11 +47,6 @@ server {
     }
     root "$site_root/www";
 
-    # Banned location handler
-    location @banned {
-        return 403;
-    }
-
     # Domain-specific error pages
     error_page 403 /domain-error-page/403.html;
     error_page 404 /domain-error-page/404.html;