# Configure secure access with letsencrypt ssl_certificate /etc/letsencrypt/live/netoik.io/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/netoik.io/privkey.pem; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # Add some ssl settings from Mozilla # see: https://ssl-config.mozilla.org ssl_protocols TLSv1.3; ssl_ecdh_curve X25519:prime256v1:secp384r1; ssl_prefer_server_ciphers off; ssl_stapling on; ssl_stapling_verify on; resolver 127.0.0.1; # Add some basic security headers from OWASP # see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always; add_header X-Frame-Options "DENY" always; add_header X-XSS-Protection "0" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; form-action 'self';" always; add_header Cross-Origin-Opener-Policy "same-origin" always; add_header Cross-Origin-Resource-Policy "same-site" always; add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always; add_header Server "webserver" always; add_header X-Robots-Tag "noindex, nofollow" always;