What is HSTS and why should I enable it?

HTTP Strict Transport Security tells browsers to always connect over HTTPS for a set duration (max-age). This prevents protocol downgrade attacks and cookie hijacking even if a user manually types http://

What TLS versions should I support?

Support TLSv1.2 and TLSv1.3 only. TLSv1.0 and TLSv1.1 are deprecated and vulnerable to attacks like POODLE and BEAST. Major browsers block sites using old TLS versions.

What is OCSP stapling?

OCSP stapling lets the server pre-fetch and cache the certificate revocation status from the CA, then include it in the TLS handshake. This speeds up connections and improves privacy over standard OCSP requests.

Nginx SSL and Security Configuration

A secure Nginx configuration enables TLS 1.2 and 1.3 only, disables weak ciphers, adds HSTS to prevent protocol downgrade attacks, and sets security headers that browsers enforce. This example shows a production-ready server block with OCSP stapling, session caching, and a Diffie-Hellman parameter for perfect forward secrecy. The Nginx config formatter validates syntax and indentation before you push to a live server. Run nginx -t after every change to catch errors before reloading.

Example

server {
    listen 443 ssl http2;
    server_name example.com www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options DENY;

    location / {
        proxy_pass http://127.0.0.1:3000;
    }
}

[ open in Nginx Config Formatter → ]

FAQ

What is HSTS and why should I enable it?: HTTP Strict Transport Security tells browsers to always connect over HTTPS for a set duration (max-age). This prevents protocol downgrade attacks and cookie hijacking even if a user manually types http://
What TLS versions should I support?: Support TLSv1.2 and TLSv1.3 only. TLSv1.0 and TLSv1.1 are deprecated and vulnerable to attacks like POODLE and BEAST. Major browsers block sites using old TLS versions.
What is OCSP stapling?: OCSP stapling lets the server pre-fetch and cache the certificate revocation status from the CA, then include it in the TLS handshake. This speeds up connections and improves privacy over standard OCSP requests.

Related Examples

Generate Apache .htaccess Security Rules

Apache .htaccess files control URL rewriting, access control, security headers, ...

Nginx Reverse Proxy Configuration

Nginx is the most common reverse proxy in front of Node.js, Python, and Go appli...

Inspect a Content Security Policy Header

Content Security Policy is the primary browser-enforced defense against Cross-Si...