Security hardening guide for Nginx with secure SSL/TLS configuration and HTTP security headers.
# /etc/nginx/nginx.conf inside http {}:
server_tokens off;apt install certbot python3-certbot-nginx
certbot --nginx -d mydomain.com -d www.mydomain.com
certbot renew --dry-runssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
ssl_stapling on;
ssl_stapling_verify on;add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self';" always;server {
listen 80;
server_name mydomain.com;
return 301 https://$host$request_uri;
}client_max_body_size 10M;
keepalive_timeout 15;
if ($request_method !~ ^(GET|HEAD|POST)$) { return 444; }
location ~ /\. { deny all; return 404; }nginx -t
systemctl reload nginx
# Check SSL grade: https://www.ssllabs.com/ssltest/