default header buffers for auth tokens

etc/nginx/conf.d/buffers.conf

@@ -2,7 +2,7 @@
 ### NGINX configuration - buffers
 #######
 
-client_body_buffer_size 10k;
+client_body_buffer_size 16k;
 client_header_buffer_size 1k;
 client_max_body_size 10M;
-large_client_header_buffers 2 1k;
+large_client_header_buffers 4 8k;

etc/nginx/conf.d/mozModern_ssl.conf

@@ -15,9 +15,10 @@ ssl_session_tickets off;
 
 # SSL ciphers
 ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
+ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
 ssl_prefer_server_ciphers on;
-ssl_early_data on;
+# if your NGINX build supports this and is using TLSv1.3, then enable
+#ssl_early_data on;
 
 # Diffie-Hellman parameter for DHE cipher suites, using 4096 bits
 ssl_dhparam <path/to/your_dhparam.pem>;

etc/nginx/conf.d/proxyHeaders.conf

@@ -3,10 +3,14 @@
 #######
 
 proxy_set_header Host $host;
-proxy_set_header X-Real-IP $remote_addr;
+
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Host $host;
-proxy_set_header X-Forwarded-Protocol $scheme;
-proxy_set_header X-Forwarded-For $remote_addr;
 proxy_set_header X-Forwarded-Port $server_port;
+proxy_set_header X-Forwarded-Protocol $scheme;
 proxy_set_header X-Forwarded-Server $host;
-proxy_set_header Early-Data $ssl_early_data;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Scheme $scheme;
+
+# if 'ssl_early_data' enabled in SSL configuration, then uncomment this
+#proxy_set_header Early-Data $ssl_early_data;

etc/nginx/conf.d/securityHeaders.conf

@@ -3,10 +3,14 @@
 ### (HTTPS specific headers are added in HTTPS configuration)
 #######
 
-add_header X-Robots-Tag none;
-add_header X-Download-Options noopen;
-add_header X-Permitted-Cross-Domain-Policies none;
-add_header X-Content-Type-Options "nosniff" always;
-add_header X-XSS-Protection "1; mode=block" always;
-add_header Referrer-Policy "no-referrer" always;
 add_header Feature-Policy "geolocation 'self'";
+
+add_header Referrer-Policy "strict-origin" always;
+
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-Download-Options noopen;
+add_header X-Frame-Options DENY;
+add_header X-Permitted-Cross-Domain-Policies none;
+add_header X-Robots-Tag none;
+add_header X-UA-Compatible "IE=edge";
+add_header X-XSS-Protection "1; mode=block" always;

etc/nginx/conf.d/timeouts.conf

@@ -2,9 +2,9 @@
 ### NGINX configurations - timeouts
 #######
 
-client_body_timeout 12;
-client_header_timeout 12;
-keepalive_timeout 15;
+client_body_timeout 60;
+client_header_timeout 60;
+keepalive_timeout 65;
 send_timeout 300;
 reset_timedout_connection on;
 proxy_connect_timeout 300s;