|
@@ -1,9 +1,20 @@
|
|
|
|
|
+server_tokens off
|
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_cache shared:SSL:10m;
|
|
|
ssl_session_timeout 10m;
|
|
ssl_session_timeout 10m;
|
|
|
|
|
+ssl_buffer_size 8k;
|
|
|
ssl_session_tickets off;
|
|
ssl_session_tickets off;
|
|
|
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
|
|
|
|
|
+ssl_protocols TLSv1.2 TLSv1.3;
|
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_prefer_server_ciphers on;
|
|
|
-ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
|
|
|
|
|
|
|
+ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256;
|
|
|
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
|
|
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
|
|
|
ssl_ecdh_curve secp384r1;
|
|
ssl_ecdh_curve secp384r1;
|
|
|
-
|
|
|
|
|
|
|
+# Security headers
|
|
|
|
|
+## X-Content-Type-Options: avoid MIME type sniffing
|
|
|
|
|
+add_header X-Content-Type-Options nosniff;
|
|
|
|
|
+## Content-Security-Policy (CSP): Yes
|
|
|
|
|
+## No 'script-src' directive, you need to test it yourself
|
|
|
|
|
+add_header Content-Security-Policy "object-src 'none'; base-uri 'none'; require-trusted-types-for 'script'; frame-ancestors 'self';";
|
|
|
|
|
+## The safest CSP, only block your website to be inside an inframe
|
|
|
|
|
+# add_header Content-Security-Policy "frame-ancestors 'self';";
|
|
|
|
|
+## Strict Transport Security (HSTS): Yes
|
|
|
|
|
+add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
|
anonymous