Kleine Pimmel Scripts


ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256;
ssl_ecdh_curve secp384r1;

ssl_stapling on;
ssl_stapling_verify on;

## Optional security:

#add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload;"; # Required for A+ on SSLLabs SSLTest.
#add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; script-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';";
#add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin";
#add_header X-Frame-Options SAMEORIGIN;
#add_header X-Content-Type-Options nosniff;
#add_header X-XSS-Protection "1; mode=block";