# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
# https://ssl-config.mozilla.org & https://observatory.mozilla.org
# https://securityheaders.com
# TLSv1.2
ssl_protocols TLSv1.3; # Requires nginx >= 1.13.0 else use TLSv1.2
ssl_prefer_server_ciphers off;
#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
#ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling off; # Turn on Prod systems
ssl_stapling_verify off;
resolver 127.0.0.1 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

# IMPORTANT: disable HSTS in dev (or explicitly clear it)
add_header Strict-Transport-Security "max-age=0" always;