diff --git a/contrib/nginx b/contrib/nginx
index e65044b..57b2049 100644
--- a/contrib/nginx
+++ b/contrib/nginx
@@ -1,10 +1,28 @@
 server {
-    listen              443 ssl;
+    listen              443 ssl http2;
+    listen              [::]:443 ssl http2;
     server_name         jarbas.serenatadeamor.org;
     ssl_certificate     /etc/letsencrypt/live/jarbas.serenatadeamor.org/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/jarbas.serenatadeamor.org/privkey.pem;
-    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers         HIGH:!aNULL:!MD5;
+    ssl_protocols       TLSv1.2;
+    ssl_ecdh_curve secp384r1;
+    ssl_prefer_server_ciphers on;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+    #ssl_ciphers         HIGH:!aNULL:!MD5;
+    #ssl_ciphers "EECDH+AESGCM:EECDH+AES";
+    #ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+    #ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
+    
+    ssl_dhparam /etc/ssl/certs/dhparam.pem
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+    
     access_log          on;
 
     location /.well-known/ {
@@ -30,6 +48,16 @@ server {
         proxy_set_header    X-Forwarded-Proto $scheme;
         proxy_set_header    X-Real-IP $remote_addr;
         add_header          P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"';
+        
+        # Disable preloading HSTS for now.  You can use the commented out header line that includes
+        # the "preload" directive if you understand the implications.
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
+        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
+        add_header X-Frame-Options "DENY";
+        add_header X-Content-Type-Options nosniff;
+        add_header Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self' https://apis.google.com https://jarbas.serenatadeamor.org; style-src 'self'; object-src 'none'" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header Referrer-Policy "strict-origin-when-cross-origin";
     }
 }
 
@@ -38,4 +66,3 @@ server {
     server_name jarbas.serenatadeamor.org;
     return      301 https://jarbas.serenatadeamor.org$request_uri;
 }
-