ssl_session_timeout 1d; ssl_session_cache shared:TLS:1m; ssl_session_tickets off; ssl_protocols TLSv1.3 TLSv1.2; ssl_ciphers 'EECDH+AESGCM:EECDH+AES256 !aNULL:!MD5'; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff;