Just an Nginx configuration

common.conf

# Config to disallow the browser to render the page inside an iframe
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
add_header X-Frame-Options SAMEORIGIN;

# don't send the nginx version number in error pages and Server header
server_tokens off;

# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
add_header X-Content-Type-Options nosniff;

# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# this particular website if it was disabled by the user.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block";

# Do not send the HTTP 'Referer' header to outside domains
# See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
add_header Referrer-Policy same-origin;


# Specify that this site should always be loaded over HTTPS
# See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains;";


# with Content Security Policy (CSP) enabled,
# you can tell the browser that it can only download content from the domains you explicitly allow
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
add_header Content-Security-Policy "default-src 'self';
    connect-src 'self';
    script-src 'self' *.googleanalytics.com;
    img-src 'self' *.cloudflare.com;
    style-src 'self' *.fontawesomecdn.com;
    font-src 'self' *.fontawesomecdn.com;
    upgrade-insecure-requests;";


set $rootUrl /usr/share/nginx/html;

# nginx gzip_static does not add Vary header for fonts. 
location ~* \.(?:eot|otf|ttf|svg)$ {
    root   $rootUrl;
    expires max;
    add_header Vary Accept-Encoding;
    add_header Cache-Control public;
    access_log off;
}

# # woff fonts should not be zipped
location ~* \.(?:woff)$ {
    root   $rootUrl;
    expires 30d;
    add_header Cache-Control public;
    access_log off;
}

location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
    root   $rootUrl;    
    expires 30d;
    add_header Pragma public;
    add_header Cache-Control public;
    access_log off;
}

nginx.conf

worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile  on;
    keepalive_timeout  65;
    gzip  on;
    gzip_disable "msie6";
    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
        text/plain
        text/css
        text/js
        text/xml
        text/javascript
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        image/svg+xml;
    port_in_redirect  off;

    
    # HTTPS server
    server {
        set         $rootUrl /usr/share/nginx/html;    
        listen      8443;
        server_name localhost;

        location / {
            root  $rootUrl;
            index index.html;
        }
        
        error_page 404 /404.html;
        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   $rootUrl;
        }
        
        include common.conf;
    }

    # HTTP server (local testing)
    server {
        set         $rootUrl /usr/share/nginx/html;
        listen      8080;
        server_name localhost;

        location / {
            root   $rootUrl;
            index  index.html;
        }

        error_page  404  /404.html;
        
        include common.conf;


        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   $rootUrl;
        }
    }    
}

https://haydenjames.io/nginx-tuning-tips-tls-ssl-https-ttfb-latency/

ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_ecdh_curve secp384r1; # see here and here (pg. 485)
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 24h;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/your/CA/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_buffer_size 4k; # I've since found 8k works best for this blog. (test!!) Default = 16k