# Basic timeout and buffer settings client_max_body_size 50M; client_body_buffer_size 128k; client_header_timeout 10s; client_body_timeout 10s; send_timeout 10s; # Limit request rate limit_req_zone $binary_remote_addr zone=req_limit:10m rate=30r/s; limit_conn_zone $binary_remote_addr zone=conn_limit:10m; # SSL / TLS hardening ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_session_tickets off; # HSTS add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # Security headers add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "no-referrer-when-downgrade"; add_header Permissions-Policy "geolocation=(), microphone=(), camera=()"; # Hide nginx version server_tokens off;