server { listen 80; listen [::]:80; server_name neonaluminum.com www.neonaluminum.com; #3 configure a new HTTP (80) server block to redirect all http requests to your webserver to https return 301 https://neonaluminum.com$request_uri; } server { listen 443 ssl; # managed by Certbot server_name neonaluminum.com; #1 Where are the root key and root certificate located? ssl_certificate /etc/letsencrypt/live/www.neonaluminum.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/www.neonaluminum.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot #4 enabling secure cipher suites and TLS protocols only within the 443 SSL server block. # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; #5 Add HTTP Strict Transport Security (HSTS) within the 443 SSL server block. add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; #6 Server_tokens off server_tokens off; #8 disable content-type sniffing on some browsers add_header X-Content-Type-Options nosniff; #7 set the X-Frame-Options header to same origin add_header X-Frame-Options SAMEORIGIN; #9 enable cross-site scripting filter built in # https://www.owasp.org/index.php/List_of_useful_HTTP_headers add_header X-XSS-Protection "1; mode=block"; # disable sites with potentially harmful code # https://content-security-policy.com/ add_header Content-Security-Policy "default-src 'self'; script-src 'self' ajax.googleapis.com; object-src 'self';"; # referrer policy add_header Referrer-Policy "no-referrer-when-downgrade"; # certificate transparency # https://thecustomizewindows.com/2017/04/new-security-header-expect-ct-header-nginx-directive/ add_header Expect-CT max-age=3600; root /var/www/neonaluminum.com/html; index index.html; }