ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
# add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block" always;

add_header Content-Security-Policy "
object-src 'none';
base-uri 'none';
require-trusted-types-for 'script';
report-uri https://optimization.ligalytics.com/_csp;
script-src 'strict-dynamic' 'self' 'unsafe-inline' 'nonce-secret321' https://*.googleapis.com https://*.gstatic.com *.google.com https://*.ggpht.com *.googleusercontent.com blob:;
img-src 'self' https://*.googleapis.com https://*.gstatic.com *.google.com  *.googleusercontent.com data:;
frame-src *.google.com;
connect-src 'self' https://*.googleapis.com *.google.com https://*.gstatic.com  data: blob:;
font-src https://fonts.gstatic.com;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
worker-src blob:;
";

set $SCRIPT "script-src 'strict-dynamic' 'nonce-rAnd0m123' 'unsafe-inline'";
set $SCRIPT "${SCRIPT} https://www.a.com";
set $SCRIPT "${SCRIPT} https://b.com";
set $STYLE "style-src 'self'";
set $STYLE "${STYLE} https://a.com";
set $IMG "img-src 'self' data:";
set $IMG "${IMG} https://a.com";
set $IMG "${IMG} https://www.b.com";
set $FONT "font-src 'self' data:";
set $FONT "${FONT} https://a.com";
set $DEFAULT "default-src 'self'";
set $CONNECT "connect-src 'self'";
set $CONNECT "${CONNECT} https://www.a.com";
set $CONNECT "${CONNECT} https://www.b.com";
set $FRAME "frame-src 'self'";
set $FRAME "${FRAME} https://a.com";
set $FRAME "${FRAME} https://b.com";
add_header Content-Security-Policy "${SCRIPT}; ${STYLE}; ${IMG}; ${FONT}; ${DEFAULT}; ${CONNECT}; ${FRAME}";