From 2f25948d3c2c090d1a394cb60629d40b89191d90 Mon Sep 17 00:00:00 2001
From: Renken <renken@shione.net>
Date: Tue, 30 Jul 2024 01:20:35 +0200
Subject: shione: nginx: follow mozilla ssl recommendation

---
 .../shione/nginx/files/etc/nginx/sites-available/shione.net | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'config/shione/nginx/files')

diff --git a/config/shione/nginx/files/etc/nginx/sites-available/shione.net b/config/shione/nginx/files/etc/nginx/sites-available/shione.net
index 361089f..28f7afe 100644
--- a/config/shione/nginx/files/etc/nginx/sites-available/shione.net
+++ b/config/shione/nginx/files/etc/nginx/sites-available/shione.net
@@ -25,6 +25,7 @@ server {
 
         # SSL configuration
         #
+        # Partially generated by https://ssl-config.mozilla.org/.
         listen 443 ssl default_server;
         listen [::]:443 ssl default_server;
         #
@@ -44,6 +45,18 @@ server {
         ssl_certificate_key /etc/letsencrypt/live/shione.net/privkey.pem;
         include /etc/letsencrypt/options-ssl-nginx.conf;
 
+        # OCSP stapling
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
+        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+        #
+        # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security.
+        add_header Strict-Transport-Security "max-age=63072000" always;
+
+        # Prevent spam.
+        add_header X-Robots-Tag "noai, noimageai" always;
+
         server_name shione.net www.shione.net;
 
         location ~* \.(htaccess|htpasswd) {
-- 
cgit v1.2.3