update

ssl/force.conf

@@ -1,3 +1,5 @@
+# Preserve the request method during HTTP->HTTPS upgrades. 301 is more common,
+# but 307 avoids surprising POST-to-GET rewrites on login and webhook paths.
 if ($scheme = http) {
 	return 307 https://$http_host$request_uri;
-}
+}

ssl/hsts-preload.conf

@@ -1,5 +1,8 @@
 set $hsts_header_value "";
 
+# Keep the same HTTP/HTTPS guard as hsts.conf. The only difference is the
+# preload token, which should be enabled only after the whole domain tree is
+# known to be HTTPS-only.
 if ($scheme = "https") {
 	set $hsts_header_value "max-age=31536000; includeSubDomains; preload";
 }

ssl/hsts.conf

@@ -1,5 +1,7 @@
 set $hsts_header_value "";
 
+# Only emit HSTS on HTTPS responses. This lets a single server block listen on
+# both 80 and 443 without sending a meaningless STS header over plain HTTP.
 if ($scheme = "https") {
 	set $hsts_header_value "max-age=31536000; includeSubDomains";
 }

ssl/security.conf

@@ -1,6 +1,13 @@
+# TLSv1.2+ is the practical modern baseline. Older protocols create more
+# compatibility burden than value in a shared default kit.
 ssl_protocols TLSv1.2 TLSv1.3;
+
+# Let nginx/OpenSSL pick the best named group set available on the host instead
+# of freezing a list that will age badly across distro upgrades.
 ssl_ecdh_curve auto;
 
+# Keep a small shared cache because session resumption helps repeat visitors,
+# but avoid huge caches that imply cross-host coordination.
 ssl_session_cache shared:SSL:10m;
 ssl_session_timeout 10m;