ssl_stapling                  on;
ssl_stapling_verify           on;
ssl_prefer_server_ciphers     on;

ssl_ciphers                   TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:!aNULL:!eNULL:!EXPORT:!EDH:!CAMELLIA:!3DES:!DES:!MD5:!PSK:!RC4:!RSA;
ssl_protocols                 TLSv1.2 TLSv1.3;
ssl_ecdh_curve                X25519:secp384r1;

ssl_session_cache             shared:SSL:1m;
ssl_session_timeout           5m;

add_header                    Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header                    X-Frame-Options DENY;
add_header                    X-Content-Type-Options nosniff;
add_header                    X-XSS-Protection "1; mode=block";