From 2aaf7cf8f8996468d294598f5ed508ba4007a557 Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Sun, 24 Jan 2021 18:44:13 +0100
Subject: [PATCH] bundles/nginx: better ssl

---
 bundles/nginx/files/site_template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template
index ab755c3..5853cfb 100644
--- a/bundles/nginx/files/site_template
+++ b/bundles/nginx/files/site_template
@@ -19,6 +19,7 @@ server {
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
     ssl_prefer_server_ciphers on;
     ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
 
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
 % else:
@@ -33,6 +34,7 @@ server {
     add_header Referrer-Policy same-origin;
     add_header X-Frame-Options "SAMEORIGIN";
     add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
 % endif
 
     location /.well-known/acme-challenge/ {