nginx.conf

# this allows you to call directives such as "env" in your own conf files
# http://nginx.org/en/docs/ngx_core_module.html#env
#
# and load dynamic modules via load_module
# http://nginx.org/en/docs/ngx_core_module.html#load_module
include /etc/nginx/main.d/*.conf;

worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  quic  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" "$http3"';

    access_log  /var/log/nginx/access.log  quic;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    # security, reveal less information about ourselves
    server_tokens off; # disables emitting nginx version in error messages and in the “Server” response header field
    more_clear_headers 'Server';
    more_clear_headers 'X-Powered-By';

    # prevent clickjacking attacks
    more_set_headers 'X-Frame-Options: SAMEORIGIN';

    # help to prevent cross-site scripting exploits
    more_set_headers 'X-XSS-Protection: 1; mode=block';

    # help to prevent Cross-Site Scripting (XSS) and data injection attacks
    # https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    more_set_headers "Content-Security-Policy: object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-downloads; base-uri 'self';";

    # enable response compression
    gzip  on;
    brotli on;
    brotli_static on;

    include /etc/nginx/conf.d/*.conf;
}