diff --git a/data/templates/nginx/security.conf.inc b/data/templates/nginx/security.conf.inc
new file mode 100644
index 000000000..272a29e26
--- /dev/null
+++ b/data/templates/nginx/security.conf.inc
@@ -0,0 +1,33 @@
+{% if compatibility == "modern" %}
+# Ciphers with modern compatibility
+# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern
+# The following configuration use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...)
+ssl_protocols TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+ssl_prefer_server_ciphers on;
+{% else %}
+# As suggested by Mozilla : https://wiki.mozilla.org/Security/Server_Side_TLS and https://en.wikipedia.org/wiki/Curve25519
+ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
+ssl_prefer_server_ciphers on;
+
+# Ciphers with intermediate compatibility
+# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=intermediate
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+
+# Uncomment the following directive after DH generation
+# > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
+#ssl_dhparam /etc/ssl/private/dh2048.pem;
+{% endif %}
+
+more_set_headers "Content-Security-Policy : upgrade-insecure-requests";
+more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: 'unsafe-inline' 'unsafe-eval'";
+more_set_headers "X-Content-Type-Options : nosniff";
+more_set_headers "X-XSS-Protection : 1; mode=block";
+more_set_headers "X-Download-Options : noopen";
+more_set_headers "X-Permitted-Cross-Domain-Policies : none";
+more_set_headers "X-Frame-Options : SAMEORIGIN";
+
+# Disable gzip to protect against BREACH
+# Read https://trac.nginx.org/nginx/ticket/1720 (text/html cannot be disabled!)
+gzip off;