Skip to content

Instantly share code, notes, and snippets.

Last active March 31, 2024 18:40
Show Gist options
  • Save plentz/6737338 to your computer and use it in GitHub Desktop.
Save plentz/6737338 to your computer and use it in GitHub Desktop.
Best nginx configuration for improved security(and performance)
# to generate your dhparam.pem file, run in the terminal
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
# don't send the nginx version number in error pages and Server header
server_tokens off;
# config to don't allow the browser to render the page inside an frame or iframe
# and avoid clickjacking
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
add_header X-Frame-Options SAMEORIGIN;
# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
# currently suppoorted in IE > 8
# 'soon' on Firefox
add_header X-Content-Type-Options nosniff;
# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# this particular website if it was disabled by the user.
add_header X-XSS-Protection "1; mode=block";
# with Content Security Policy (CSP) enabled(and a browser that supports it(,
# you can tell the browser that it can only download content from the domains you explicitly allow
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
# directives for css and js(if you have inline css or js, you will need to keep it too).
# more:
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src; object-src 'none'";
# redirect all http traffic to https
server {
listen 80 default_server;
listen [::]:80 default_server;
return 301 https://$host$request_uri;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/nginx/ssl/star_forgott_com.crt;
ssl_certificate_key /etc/nginx/ssl/star_forgott_com.key;
# enable session resumption to improve https performance
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# enables server-side protection from BEAST attacks
ssl_prefer_server_ciphers on;
# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS
ssl_protocols TLSv1.2 TLSv1.3;
# ciphers chosen for forward secrecy and compatibility
# enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/star_forgott_com.crt;
# config to enable HSTS(HTTP Strict Transport Security)
# to avoid ssl stripping
# also
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
# ... the rest of your configuration
Copy link

hongbo-miao commented Sep 12, 2020

Here is HTTP/3 support

server {
    listen 443 ssl;              # TCP listener for HTTP/1.1
    listen 443 http3 reuseport;  # UDP listener for QUIC+HTTP/3

    ssl_protocols       TLSv1.3; # QUIC requires TLS 1.3
    ssl_certificate     ssl/;
    ssl_certificate_key ssl/;

    add_header Alt-Svc 'quic=":443"'; # Advertise that QUIC is available
    add_header QUIC-Status $quic;     # Sent when QUIC was used

Copy link

rfl890 commented Jan 17, 2022

You should probably change the resolver to
Which are Cloudflare's DNS servers, which are privacy focused and faster than Google

Copy link

rooch84 commented Jan 17, 2022

@rfl890 do you have any supporting evidence? I don't dispute your claims, but I think changes should be made objectively.

Copy link

rfl890 commented Jan 24, 2022

@rooch84 Well if you go to their website ( and scroll down a bit, it shows a comparison between DNS resolvers and it shows that it is indeed the fastest. They might be lying, but what reason would they have? You don't pay for using the DNS itself, it's free. And in the privacy policy (, in section 2, they specifically say they only collect the minimum amount of data needed and all data is anonymized. I'm not trying to "root for them" or anything, but well, you asked for it

Copy link

@rooch84 You can check the relevant data about latency/speed here.

And a privacy-focused report, made by a 3rd party audit company (KPMG) here (bottom mid section leads to this pdf).

Copy link

rooch84 commented Feb 2, 2022

Thanks @rfl890 and @Peneheals for the info. Looks like a sensible change to me.

Copy link

Getting an unknown variable "quic". Http/3 works on Chromium but not Firefox, what do I have to do?

Copy link

Copy link

Wiilf commented Apr 15, 2023


This prioritizes cipher suites that support PFS and use ECC, while also using 128-bit encryption for improved performance on older devices.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment