# Security
server_tokens off;
add_header X-Frame-Options                   "SAMEORIGIN"               always;
add_header X-Content-Type-Options            "nosniff"                  always;
add_header X-XSS-Protection                  "1; mode=block"            always;
add_header Referrer-Policy                   "no-referrer"              always;
add_header X-Permitted-Cross-Domain-Policies "none"                     always;
add_header X-Robots-Tag                      "noindex, nofollow"        always;
# CSP breaks some webapps
# add_header Content-Security-Policy         "default-src 'self';"      always;

# http2
http2 on;

# http3
# Open port 443/udp to use http3
# Add reuseport to ONLY ONE virtual host: listen 443 quic reuseport;
listen 443 quic;
add_header Alt-Svc 'h3=":443"; ma=86400';
quic_retry on;
http3 on;

# Certbot defaults
listen 443 ssl;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000" always;