X448NAX/slash etc slash nginx slash sites-enabled slash yourdomain.tld

## slash etc slash nginx slash sites-enabled slash yourdomain.tld
# Note: Assumes use of an ECC TLS certificate. The primary benefit over RSA is better or comparable security with far smaller keys.
# Updating to an ECC cert from an RSA one is very easy if you use certbot.
# If you are intent on using an RSA cert, replace "ECDHE" with "DHE" in the cipher list below and ensure you have strong custom generated dh_params.

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name yourdomain.tld;

  ssl_certificate /etc/letsencrypt/live/yourdomain.tld/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/yourdomain.tld/privkey.pem;

  ssl_protocols TLSv1.3 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDHE+CHACHA20:ECDHE+AESGCM:ECDHE+ARIA256:ECDHE+CCM8;
  ssl_ecdh_curve X448:X25519:prime256v1:secp521r1;
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets on;
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 1.1.1.1 1.0.0.1 valid=420s;

# Security Headers
# A CSP is very important but must be tailor made for your site so this is commented out and presented as an example only.
# add_header Content-Security-Policy "default-src 'none'; script-src 'self'; img-src 'self' https://yourbucket.s3.eu-west-2.amazonaws.com/; style-src 'self' 'unsafe-inline'; font-src 'self'"
  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
  add_header X-Content-Type-Options nosniff;
  add_header X-Frame-Options DENY;
  add_header X-XSS-Protection "1; mode=block";
  add_header Referrer-Policy "strict-origin";
  add_header X-Robots-Tag "noarchive";
  server_tokens off;

  root /var/www/html;

server {
    listen 80;
    listen [::]:80;
    server_name yourdomain.tld;
    server_tokens off;
    add_header X-Robots-Tag "noindex, nofollow";
    return 301 https://yourdomain.tld$request_uri;
}
	# Note: Assumes use of an ECC TLS certificate. The primary benefit over RSA is better or comparable security with far smaller keys.
	# Updating to an ECC cert from an RSA one is very easy if you use certbot.
	# If you are intent on using an RSA cert, replace "ECDHE" with "DHE" in the cipher list below and ensure you have strong custom generated dh_params.

	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name yourdomain.tld;

	ssl_certificate /etc/letsencrypt/live/yourdomain.tld/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/yourdomain.tld/privkey.pem;

	ssl_protocols TLSv1.3 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers ECDHE+CHACHA20:ECDHE+AESGCM:ECDHE+ARIA256:ECDHE+CCM8;
	ssl_ecdh_curve X448:X25519:prime256v1:secp521r1;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets on;
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 1.1.1.1 1.0.0.1 valid=420s;

	# Security Headers
	# A CSP is very important but must be tailor made for your site so this is commented out and presented as an example only.
	# add_header Content-Security-Policy "default-src 'none'; script-src 'self'; img-src 'self' https://yourbucket.s3.eu-west-2.amazonaws.com/; style-src 'self' 'unsafe-inline'; font-src 'self'"
	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
	add_header X-Content-Type-Options nosniff;
	add_header X-Frame-Options DENY;
	add_header X-XSS-Protection "1; mode=block";
	add_header Referrer-Policy "strict-origin";
	add_header X-Robots-Tag "noarchive";
	server_tokens off;

	root /var/www/html;

	server {
	listen 80;
	listen [::]:80;
	server_name yourdomain.tld;
	server_tokens off;
	add_header X-Robots-Tag "noindex, nofollow";
	return 301 https://yourdomain.tld$request_uri;
	}