diff --git a/ansible/roles/distributed_press/templates/nginx-static.j2 b/ansible/roles/distributed_press/templates/nginx-static.j2
index 89ed386..9bf4dff 100644
--- a/ansible/roles/distributed_press/templates/nginx-static.j2
+++ b/ansible/roles/distributed_press/templates/nginx-static.j2
@@ -12,26 +12,36 @@ server {
 
   error_page 404 /404.html;
 
+  add_header Cache-Control no-cache;
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-  add_header 'X-Frame-Options' 'ALLOW-FROM *';
+  add_header X-Frame-Options "sameorigin";
+  add_header X-XSS-Protection "1; mode=block";
+  add_header X-Content-Type-Options "nosniff";
+  add_header Referrer-Policy "strict-origin-when-cross-origin";
+
   add_header 'Access-Control-Allow-Origin' '*';
   add_header 'Access-Control-Allow-Credentials' 'true';
   add_header 'Access-Control-Allow-Methods' '*';
   add_header 'Access-Control-Allow-Headers' '*';
   add_header 'X-Ipfs-Path' '/ipns/{{ item }}';
 
-  location /.well-known/webfinger {
-    default_type application/jrd+json;
-  }
-  location /.well-known/host-meta {
-    default_type application/xrd+xml;
-  }
-
   location / {
     # First attempt to serve request as file, then
     # as directory, then fall back to displaying a 404.
     # Also try loading .html/.md/.gemini/.gmi files
     try_files $uri $uri/ $uri.html $uri.md $uri.gmi $uri.gemini =404;
+
+    location = /.well-known/webfinger {
+      default_type application/jrd+json;
+    }
+
+    location = /.well-known/host-meta {
+      default_type application/xrd+xml;
+    }
+
+    location = /.well-known/nodeinfo {
+      default_type "application/jrd+json";
+    }
   }
 
   listen [::]:443 ssl; # managed by Certbot
@@ -40,8 +50,25 @@ server {
   ssl_certificate_key /etc/letsencrypt/live/{{distributed_press_cert_name}}/privkey.pem; # managed by Certbot
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-}
 
+  ssl_early_data on;
+
+  # https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=intermediate&openssl=1.1.1&guideline=5.7
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_tickets off;
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+
+  gzip_static on;
+
+  default_type "text/html";
+
+  # Some Fediverse endpoints don't include an extension and we'd need to
+  # configure everything.  By adding index.json, we can serve these
+  # endpoints as directories.
+  index index.html index.json index.md index.gmi index.gemini;
+}
 
 server {
   server_name {{item}};
@@ -49,6 +76,6 @@ server {
   listen 80;
   listen [::]:80;
 
-  return  301 https://{{item}}$request_uri;
+  return 301 https://{{item}}$request_uri;
 }