Last active
May 2, 2026 19:58
-
-
Save nbeguier/4a11a38ea55f6ab5562a537d8584da41 to your computer and use it in GitHub Desktop.
Nginx: TLS Security Configuration 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Nginx TLS security configuration | |
| # Updated: 2026-05-02 | |
| # Baseline: Mozilla SSL Configuration Generator 6.0, Intermediate | |
| server { | |
| listen 80; | |
| listen [::]:80; | |
| server_name __REDACTED__; | |
| return 301 https://$host$request_uri; | |
| } | |
| server { | |
| # Nginx >= 1.25.1 | |
| listen 443 ssl; | |
| listen [::]:443 ssl; | |
| http2 on; | |
| # For older Nginx, use instead: | |
| # listen 443 ssl http2; | |
| # listen [::]:443 ssl http2; | |
| server_name __REDACTED__; | |
| ssl_certificate __REDACTED__; | |
| ssl_certificate_key __REDACTED__; | |
| server_tokens off; | |
| ssl_protocols TLSv1.2 TLSv1.3; | |
| ssl_ecdh_curve X25519:prime256v1:secp384r1; | |
| ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; | |
| ssl_prefer_server_ciphers off; | |
| # Optional on Nginx >= 1.19.4 with a compatible OpenSSL build. | |
| # ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256; | |
| ssl_session_tickets off; | |
| ssl_session_timeout 1d; | |
| ssl_session_cache shared:SSL:10m; | |
| ssl_buffer_size 8k; | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| ssl_trusted_certificate __REDACTED_ROOT_CA_PLUS_INTERMEDIATES__; | |
| resolver 1.1.1.1 1.0.0.1 valid=300s; | |
| resolver_timeout 5s; | |
| add_header X-Content-Type-Options "nosniff" always; | |
| add_header Referrer-Policy "strict-origin-when-cross-origin" always; | |
| add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; | |
| add_header Content-Security-Policy "object-src 'none'; base-uri 'self'; frame-ancestors 'self';" always; | |
| add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self';" always; | |
| # Add "; preload" only after all subdomains support HTTPS and you intend to submit to hstspreload.org. | |
| add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment