nginx.conf

user nginx;
worker_processes auto;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

load_module modules/ngx_http_js_module.so;

events {
    worker_connections 1024;
}

http {
    include /etc/nginx/mime.types;
    types {
        application/manifest+json webmanifest;
    }
    default_type application/octet-stream;

    access_log off;
    charset utf-8;
    etag off;
    if_modified_since off;
    keepalive_timeout 65;
    sendfile on;

    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types application/javascript application/json;

    js_import nginx.js;
    js_set $nonce nginx.nonce;

    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_certificate /etc/nginx/localhost.crt;
    ssl_certificate_key /etc/nginx/localhost.rsa;

    server {
        listen 80;

        location / {
            return 301 https://$host$request_uri;
        }
    }

    server {
        listen 443 ssl;
        http2 on;
        root /usr/share/nginx/html;

        location ~ ^/(application|common|extensions) {
            add_header Cache-Control "max-age=31536000";
        }

        location = /index.html {
            add_header Content-Security-Policy "base-uri 'none'; child-src 'self'; connect-src 'nonce-$nonce' 'self' google-analytics.com; default-src 'self'; font-src 'self'; form-action 'none'; frame-ancestors 'self'; frame-src 'self'; img-src 'self' google-analytics.com; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src 'nonce-$nonce' 'self' 'strict-dynamic' 'unsafe-inline'; script-src-elem 'nonce-$nonce' 'self' 'strict-dynamic' 'unsafe-inline'; style-src 'nonce-$nonce'; upgrade-insecure-requests; worker-src 'self'";
            add_header Referrer-Policy "strict-origin-when-cross-origin";
            add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
            add_header X-Content-Type-Options "nosniff";
            add_header X-Frame-Options "sameorigin";
            add_header X-XSS-Protection "1; mode=block";
            sub_filter_once off;
            sub_filter_last_modified on;
            sub_filter '<meta name="nonce"' '<meta name="nonce" content="$nonce"';
            sub_filter '<script' '<script nonce="$nonce"';
            sub_filter '<style' '<style nonce="$nonce"';
        }

        location / {
            add_header Cache-Control "no-cache";
            try_files $uri /index.html;
        }
    }
}