nginx.conf

map $request_uri $csp_header {
    default "default-src https://qubyte.codes; style-src 'self'; img-src *; media-src *; child-src https://www.youtube-nocookie.com 'self'; frame-src https://www.youtube-nocookie.com 'self'; object-src 'none'; script-src 'self';";
    /sw.js "connect-src *;";
}

server {
    listen 80;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2 default_server;
    server_name qubyte.codes www.qubyte.codes localhost;

    charset utf-8;
    gzip on;
    gzip_types text/plain application/xml text/xml text/css application/javascript;

    ssl_certificate /etc/letsencrypt/live/qubyte.codes/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/qubyte.codes/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Security headers.
    server_tokens off;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Xss-Protection "1" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Content-Security-Policy $csp_header;
    add_header Referrer-Policy strict-origin-when-cross-origin;

    root /home/qubyte/qubyte-codes/public;

    location ~* \.css$ {
        expires max;
        etag off;
        add_header Cache-Control public;
        add_header Cache-Control immutable;
    }

    location / {
        expires -1;
        try_files $uri $uri/ $uri.html =404;
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}