diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf
index 09c40624e..3168a5986 100644
--- a/salt/nginx/etc/nginx.conf
+++ b/salt/nginx/etc/nginx.conf
@@ -89,11 +89,18 @@ http {
 		server_name _;
 		return 307 https://{{ GLOBALS.url_base }}$request_uri;
 
+		add_header 	Content-Security-Policy     "default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: blob: wss:; frame-ancestors 'self'";
+		add_header 	X-Frame-Options             SAMEORIGIN;
+		add_header 	X-XSS-Protection            "1; mode=block";
+		add_header 	X-Content-Type-Options      nosniff;
+		add_header 	Strict-Transport-Security   "max-age=31536000; includeSubDomains";
+		add_header 	referrer-Policy             no-referrer;
+
 		ssl_certificate "/etc/pki/nginx/server.crt";
 		ssl_certificate_key "/etc/pki/nginx/server.key";
 		ssl_session_cache shared:SSL:1m;
 		ssl_session_timeout  10m;
-		ssl_ciphers HIGH:!aNULL:!MD5;
+		ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256;
 		ssl_ecdh_curve secp521r1:secp384r1;
 		ssl_prefer_server_ciphers on;
 		ssl_protocols TLSv1.2;
@@ -123,11 +130,19 @@ http {
 		http2 on;
         server_name {{ GLOBALS.url_base }};
         root /surirules;
+
+		add_header 	Content-Security-Policy     "default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: blob: wss:; frame-ancestors 'self'";
+		add_header 	X-Frame-Options             SAMEORIGIN;
+		add_header 	X-XSS-Protection            "1; mode=block";
+		add_header 	X-Content-Type-Options      nosniff;
+		add_header 	Strict-Transport-Security   "max-age=31536000; includeSubDomains";
+		add_header 	referrer-Policy             no-referrer;
+
 		ssl_certificate "/etc/pki/nginx/server.crt";
 		ssl_certificate_key "/etc/pki/nginx/server.key";
 		ssl_session_cache shared:SSL:1m;
 		ssl_session_timeout  10m;
-		ssl_ciphers HIGH:!aNULL:!MD5;
+		ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256;
 		ssl_prefer_server_ciphers on;
 		ssl_protocols TLSv1.2;
         location / {
@@ -153,13 +168,14 @@ http {
 		add_header 	X-Frame-Options             SAMEORIGIN;
 		add_header 	X-XSS-Protection            "1; mode=block";
 		add_header 	X-Content-Type-Options      nosniff;
-		add_header 	Strict-Transport-Security   "max-age=31536000; includeSubDomains; preload";
+		add_header 	Strict-Transport-Security   "max-age=31536000; includeSubDomains";
+		add_header 	referrer-Policy             no-referrer;
 
 		ssl_certificate "/etc/pki/nginx/server.crt";
 		ssl_certificate_key "/etc/pki/nginx/server.key";
 		ssl_session_cache shared:SSL:1m;
 		ssl_session_timeout  10m;
-		ssl_ciphers HIGH:!aNULL:!MD5;
+		ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256;
 		ssl_prefer_server_ciphers on;
 		ssl_protocols TLSv1.2;