nginx.conf

server {
  listen 443 ssl default deferred;
  server_name .forgott.com;
  #don't send the nginx version number in error pages and Server header
  server_tokens off;

  ssl_certificate /etc/nginx/ssl/star_forgott_com.crt;
  ssl_certificate_key /etc/nginx/ssl/star_forgott_com.key;
  ssl_session_cache builtin:1000 shared:SSL:10m;
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers 'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS';

  # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
  # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
  resolver 8.8.8.8;
  ssl_stapling on;
  ssl_trusted_certificate /etc/nginx/ssl/star_forgott_com.crt;

  # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
  # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
  add_header Strict-Transport-Security max-age=31536000;
  # config to don't allow the browser to render the page inside an frame or iframe
  # and avoid clickjacking https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
  # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
  add_header X-Frame-Options DENY;

  #... the rest of your configuration
}