nbeguier · November 6, 2024 09:51
diff --git a/nginx.conf b/nginx.conf
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  server_name __REDACTED__;
  ssl_certificate __REDACTED__ ;
  ssl_certificate_key __REDACTED__;

  # Only return Nginx in server header
  server_tokens off;

  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  ssl_protocols TLSv1.2 TLSv1.3;

  # Compilation of the top cipher suites 2024
  # https://ssl-config.mozilla.org/#server=nginx
  ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256;

  # Perfect Forward Secrecy(PFS) is frequently compromised without this
  ssl_prefer_server_ciphers on;

  ssl_session_tickets off;
  # Enable SSL session caching for improved performance
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:10m;
  # By default, the buffer size is 16k, which corresponds to minimal overhead when sending big responses.
  # To minimize Time To First Byte it may be beneficial to use smaller values
  ssl_buffer_size 8k;

  # OCSP stapling
  ssl_stapling on;
  ssl_stapling_verify on;

  # Security headers
  ## X-Content-Type-Options: avoid MIME type sniffing
  add_header X-Content-Type-Options nosniff;
  ## Content-Security-Policy (CSP): Yes
  ## No 'script-src' directive, you need to test it yourself
  add_header Content-Security-Policy "object-src 'none'; base-uri 'none'; require-trusted-types-for 'script'; frame-ancestors 'self';";
  ## The safest CSP, only block your website to be inside an inframe
  # add_header Content-Security-Policy "frame-ancestors 'self';";
  ## Strict Transport Security (HSTS): Yes
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

 }
	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name __REDACTED__;
	ssl_certificate __REDACTED__ ;
	ssl_certificate_key __REDACTED__;

	# Only return Nginx in server header
	server_tokens off;

	ssl_dhparam /etc/ssl/certs/dhparam.pem;

	ssl_protocols TLSv1.2 TLSv1.3;

	# Compilation of the top cipher suites 2024
	# https://ssl-config.mozilla.org/#server=nginx
	ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256;

	# Perfect Forward Secrecy(PFS) is frequently compromised without this
	ssl_prefer_server_ciphers on;

	ssl_session_tickets off;
	# Enable SSL session caching for improved performance
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;
	# By default, the buffer size is 16k, which corresponds to minimal overhead when sending big responses.
	# To minimize Time To First Byte it may be beneficial to use smaller values
	ssl_buffer_size 8k;

	# OCSP stapling
	ssl_stapling on;
	ssl_stapling_verify on;

	# Security headers
	## X-Content-Type-Options: avoid MIME type sniffing
	add_header X-Content-Type-Options nosniff;
	## Content-Security-Policy (CSP): Yes
	## No 'script-src' directive, you need to test it yourself
	add_header Content-Security-Policy "object-src 'none'; base-uri 'none'; require-trusted-types-for 'script'; frame-ancestors 'self';";
	## The safest CSP, only block your website to be inside an inframe
	# add_header Content-Security-Policy "frame-ancestors 'self';";
	## Strict Transport Security (HSTS): Yes
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

	}