server_tokens off;

ssl_certificate /srv/plural.cafe/.acme.sh/plural.cafe/fullchain.cer;
ssl_certificate_key /srv/plural.cafe/.acme.sh/plural.cafe/plural.cafe.key;
ssl_trusted_certificate /srv/plural.cafe/.acme.sh/plural.cafe/plural.cafe.cer;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
ssl_ecdh_curve X25519:secp384r1:prime256v1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:TLS:2m;
ssl_session_timeout 10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;

keepalive_timeout 70;
sendfile on;
client_max_body_size 0;

add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "same-origin";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s;
resolver_timeout 5s;