diff --git a/nginx-ssl.conf b/nginx-ssl.conf
index 5bdb61765..845a3ab9c 100644
--- a/nginx-ssl.conf
+++ b/nginx-ssl.conf
@@ -1,11 +1,13 @@
-listen				*:443 ssl;
-ssl_certificate			ssl/server.crt;
-ssl_certificate_key		ssl/server.key;
-#ssl_dhparam			ssl/dhparam.pem;
 ssl_protocols			TLSv1 TLSv1.1 TLSv1.2;
-ssl_ciphers			ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
-resolver 			8.8.8.8 8.8.4.4 valid=300s;
-resolver_timeout 		2s;
 ssl_prefer_server_ciphers	on;
+ssl_ciphers			"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ecdh_curve			secp384r1;
 ssl_session_cache		shared:SSL:10m;
-add_header			Strict-Transport-Security "max-age=31536000; includeSubdomains;";
+ssl_session_tickets		off;
+ssl_stapling			on;
+ssl_stapling_verify		on;
+resolver			8.8.8.8 8.8.4.4 valid=300s;
+resolver_timeout		3s;
+add_header			Strict-Transport-Security "max-age=63072000; includeSubDomains";
+add_header			X-Frame-Options DENY;
+add_header			X-Content-Type-Options nosniff;
diff --git a/nginx.conf b/nginx.conf
index 7b071d5e8..c02c886ca 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -10,8 +10,12 @@
 		server_tokens		off;
 		root			/usr/share/pmm-server/landing-page;
 
+		ssl_certificate		/srv/nginx/certificate.crt;
+		ssl_certificate_key	/srv/nginx/certificate.key;
+		ssl_trusted_certificate	/srv/nginx/ca-certs.pem;
+		ssl_dhparam		/srv/nginx/dhparam.pem;
+
 		## BEGIN Those lines are managed from entrypoint.sh
-		#include nginx-ssl.conf;
 		auth_basic		off;
 		auth_basic_user_file	.htpasswd;
 		## END