nginx-hardened-preferences/nginx.conf

user http;
worker_processes auto;
worker_cpu_affinity auto;

events {
    multi_accept on;
    worker_connections 1024;
}

http {
    charset utf-8;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    server_tokens off;
    log_not_found off;
    types_hash_max_size 2048;
    client_max_body_size 16M;
    server_names_hash_bucket_size 64;

    # Logging
    #access_log /var/log/nginx/access.log;
    #error_log /var/log/nginx/error.log;
    log_format  main  '$remote_addr - [$time_local] "$request" '
            '$status $body_bytes_sent "$http_referer" '
            '"$http_user_agent" $request_time '
            '$upstream_response_time $pipe';

    # Enable compression
    gzip on;
    gzip_disable "MSIE [1-6]\.";
    gzip_vary on;
    gzip_types  text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/rss+xml;

    # MIME
    include mime.types;
    default_type application/octet-stream;

    # X-XSS Protection
    add_header X-XSS-Protection "1; mode=block";

    # Add Strict-Transport-Security
    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

    # X-Frame-Options
    add_header X-Frame-Options "DENY";
    
    # X-Content-Type-Options
    add_header X-Content-Type-Options nosniff;

    # X-Permitted-Cross-Domain-Policies
    add_header X-Permitted-Cross-Domain-Policies master-only;

    # Referrer-Policy
    add_header Referrer-Policy same-origin;

    # Content-Security-Policy
    add_header Content-Security-Policy "default-src 'self';";

    # load configs
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}