How to securely configure nginx for production step by step

1) Use a strong cipher suite:

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES:DHE-RSA-AES:RSA-AES256-GCM-SHA512:RSA-AES256-SHA256:RSA-AES128-GCM-SHA256:RSA-AES128-SHA256;

2) Use a strong SSL/TLS protocol:

ssl_protocols TLSv1.2 TLSv1.3;

3) Use a strong key exchange algorithm:

ssl_dhparam dhparam.pem;

4) Use a strong message authentication code (MAC):

ssl_prefer_server_ciphers on;

5) Set a reasonable security level:

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 5m;

6) Use a strong Diffie-Hellman group:

ssl_ecdh_curve prime256v1:secp384r1;

7) Use only safe renegotiation:

ssl_stapling on;

ssl_stapling_verify on;

8) Use only secure protocols and ciphers:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

9) Use only secure protocols:

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES:DHE-RSA-AES:RSA-AES256-GCM-SHA512:RSA-AES256-SHA256:RSA-AES128-GCM-SHA256:RSA-AES128-SHA256;

ssl_protocols TLSv1.2 TLSv1.3;

ssl_prefer_server_ciphers on;

10) Use only secure ciphers:

ssl_ecdh_curve prime256v1:secp384r1;

11) Use only secure renegotiation:

ssl_stapling on;

ssl_stapling_verify on;

12) Use only secure protocols and ciphers:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";