From
http://php.net/manual/en/install.fpm.configuration.php
security.limit_extensions string
Limits the extensions of the main script FPM will allow to parse. This can prevent configuration mistakes on the web server side. You should only limit FPM to .php extensions to prevent malicious users to use other extensions to execute php code. Default value: .php .phar