My nginx SSL and http header config snippet
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
ssl_trusted_certificate /etc/nginx/ssl/fullchain.pem;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_protocols TLSv1.2;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
proxy_ssl_session_reuse off;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_stapling on;
ssl_stapling_verify on;
more_set_headers "Strict-Transport-Security: max-age=15768000; includeSubDomains; preload";
more_set_headers 'Public-Key-Pins: pin-sha256="+oXoiEF2sFHvQGpvaTU/4m0DKMnWBQoIHh7gNyZWun8="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis="; pin-sha256="pM+iwkeddeZ4Dye7uu1YlGs0hj7w6QL06qDO7DcwGII="; max-age=7776000; includeSubDomains';
more_set_headers "Content-Security-Policy: default-src 'self' data: 'unsafe-inline' 'unsafe-eval' *.compilenix.org compilenix.org dharma.no-trust.org *.googleapis.com *.gstatic.com *.gravatar.com code.jquery.com; frame-ancestors 'self' ; form-action 'self' ; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer;";
more_set_headers "X-Frame-Options: SAMEORIGIN";
more_set_headers 'X-XSS-Protection: 1; mode=block';
more_set_headers "X-Content-Type-Options: nosniff";
}
Ref: