From 754db685e57ddc2313e206b6c89bede3574dd1b0 Mon Sep 17 00:00:00 2001
From: toufic ar <contact@toufy.me>
Date: Wed, 4 Mar 2026 05:16:49 +0200
Subject: [PATCH] moarrr nginx hardening

---
 config/http/default.nix | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/config/http/default.nix b/config/http/default.nix
index 6d6862d..8294f4e 100644
--- a/config/http/default.nix
+++ b/config/http/default.nix
@@ -28,17 +28,21 @@ in {
     recommendedProxySettings = true;
     recommendedBrotliSettings = true;
 
-    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+    sslCiphers = "EECDH+AESGCM:EECDH+CHACHA20:EDH+AESGCM:EDH+CHACHA20:AES256+EECDH:AES256+EDH:!aNULL";
+    appendConfig = ''
+      ssl_prefer_server_ciphers on;
+    '';
 
     appendHttpConfig = ''
       map $scheme $hsts_header {
           https   "max-age=31536000; includeSubdomains; preload";
       }
       more_set_headers 'Strict-Transport-Security: $hsts_header';
-      more_set_headers 'Content-Security-Policy: default-src "self" *';
+      more_set_headers 'Content-Security-Policy: upgrade-insecure-requests';
       more_set_headers 'Referrer-Policy: origin-when-cross-origin';
       more_set_headers 'X-Frame-Options: DENY';
       more_set_headers 'X-Content-Type-Options: nosniff';
+      more_set_headers 'X-XSS-Protection: 0';
     '';
 
     virtualHosts.${customDomain} = {