update

README.md

@@ -15,6 +15,7 @@ In server block:
 server {
 	# ...
 	include snippets/cert/mydomain.com.conf;
+	include	kit/ssl/security.conf;
 	include	kit/ssl/hsts.conf;
 	include	kit/ssl/force.conf;
 	# ...
@@ -28,7 +29,7 @@ server {
 ```bash
 cd /etc/nginx
 mkdir snippets/cert
-cp kit/templates/cert-example.com.conf snippets/cert/mydomain.com.conf
+cp kit/templates/cert/example.com.conf snippets/cert/mydomain.com.conf
 vi snippets/cert/mydomain.com.conf
 ```
 
@@ -38,6 +39,8 @@ Replace the path with yours, then include in your server block:
 server {
 	# ...
 	include snippets/cert/mydomain.com.conf;
+	include kit/ssl/security.conf;
+	include kit/ssl/hsts.conf;
 	# ...
 }
 ```

examples/example.com.conf

@@ -13,6 +13,7 @@ server {
 	index index.html index.htm;
 
 	include snippets/cert/mydomain.com.conf;
+	include kit/ssl/security.conf;
 	include kit/ssl/hsts.conf;
 	include kit/redirect/to-primary-domain.conf;
 	include kit/ssl/force.conf;

ssl/security.conf

@@ -0,0 +1,8 @@
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ecdh_curve auto;
+
+ssl_session_cache shared:SSL:10m;
+ssl_session_timeout 10m;
+
+# Prefer stateless session resumption only when you rotate shared ticket keys.
+ssl_session_tickets off;