diff --git a/.metadata b/.metadata
index b31cad5..81ef96b 100644
Binary files a/.metadata and b/.metadata differ
diff --git a/.templates/nginx/.nginx/_default.conf b/.templates/nginx/.nginx/_default.conf
index c634943..a319cc4 100644
--- a/.templates/nginx/.nginx/_default.conf
+++ b/.templates/nginx/.nginx/_default.conf
@@ -1,14 +1,42 @@
 # A restrictive default virtualhost configuration.
+# Provides HTTPs with a self-signed certificate.
+
+# The STS header should only be sent over https.
+map $scheme $hsts_header { https "max-age=31536000; includeSubDomains"; }
 
 server {
-        listen 80 default_server;
-        server_name _;
+    listen 80 default_server;
+    listen 443 ssl default_server;
 
-        root /var/www/html;
-        index index.html index.htm index.nginx-debian.html;
+    server_name _;
+
+    root /var/www/html;
+    index index.html index.htm index.nginx-debian.html;
+
+    location / {
+        types { } default_type text/html;
+        return 404 "<span style='font-size: large'>$hostname</span>";
+    }
+
+    ##################################################################################
+    # The SSL part
+    # https://ssl-config.mozilla.org/
+    # https://community.letsencrypt.org/t/howto-a-with-all-100-s-on-ssl-labs-test-using-nginx-mainline-stable/55033
+
+    ssl_certificate     /etc/ssl/certs/ssl-cert-snakeoil.pem;
+    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+    # Settings to achieve 'A' grade on https://www.ssllabs.com/ssltest/
+    ssl_session_timeout 1440m;
+    ssl_session_tickets off;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers off;
+    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";
+
+    # Activate it only in case of stable HTTPs service.
+#   more_set_headers "Strict-Transport-Security: $hsts_header";
+#   ssl_stapling on;
+#   ssl_stapling_verify on;
 
-        location / {
-            default_type text/html;
-            return 404 "<span style='font-size: large'>$hostname</span>";
-        }
 }
diff --git a/.templates/nginx/.nginx/_general.conf b/.templates/nginx/.nginx/_general.conf
index 1eead3a..cc98517 100644
--- a/.templates/nginx/.nginx/_general.conf
+++ b/.templates/nginx/.nginx/_general.conf
@@ -1,14 +1,29 @@
 # NGINX general configuration for Docker services.
+# Uses ngx_http_headers_more_filter_module to inherit the security headers.
+# Note, this is not a really restrictive policy!
+# Feel free to customize the particular vhost definitions.
 
 # Doesn't explore unnecessary info.
+#
 server_tokens off;
-# Depends on ngx_http_security_headers_module.so
-#hide_server_tokens on;
+
+# Security headers to achieve 'A' grade on https://securityheaders.com/
+# See e.g https://linuxcapable.com/how-to-configure-security-headers-in-nginx/
+# Depends on ngx_http_headers_more_filter_module.so
+#
+# These are valid restrictions below.
+more_set_headers "X-Frame-Options: SAMEORIGIN";
+more_set_headers "X-Content-Type-Options: nosniff";
+more_set_headers "Referrer-Policy: no-referrer-when-downgrade";
+# These are dummy restrictions (meaningless headers) below.
+more_set_headers "Content-Security-Policy: img-src *";
+more_set_headers "Permissions-Policy: geolocation=*";
 
 # https://amalgjose.com/2020/05/15/how-to-set-the-allowed-url-length-for-a-nginx-request-error-code-414-uri-too-large/
+#
 large_client_header_buffers 4 32k;
 
 # https://serverfault.com/questions/602201/nginx-possible-bug-with-dashes-in-server-name
 # https://trac.nginx.org/nginx/ticket/571
+#
 #server_names_hash_bucket_size 64;
-
diff --git a/.templates/nginx/nginx.conf b/.templates/nginx/nginx.conf
index e3ccb24..59bc93b 100644
--- a/.templates/nginx/nginx.conf
+++ b/.templates/nginx/nginx.conf
@@ -3,6 +3,8 @@
 
 # Flags the  non 2xx or non 3xx (probably error) responses.
 map $status $errorlog_$PAR_PROXYPORT { ~^[23]  0; default 1; }
+# The STS header should only be sent over https.
+map $scheme $hsts_header_$PAR_PROXYPORT { https "max-age=31536000; includeSubDomains"; }
 
 # Virtualhost's configuration follows.
 server {
@@ -67,11 +69,11 @@ server {
     #
     # Static service.
 #   location / {
-#	root $PAR_SERVICE/storage/volumes/staticweb/;
-#	allow all;
-#	autoindex off;
-#	index index.html index.htm;
-#	try_files $ri $uri/ =404;
+#       root $PAR_SERVICE/storage/volumes/staticweb/;
+#       allow all;
+#       autoindex off;
+#       index index.html index.htm;
+#       try_files $ri $uri/ =404;
 #   }
     #
     # No static service, but we may provide the OPTIONS for a potential DAV client.
@@ -104,14 +106,11 @@ server {
     ssl_prefer_server_ciphers off;
     ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";
 
-    ssl_stapling on;
-    ssl_stapling_verify on;
-
-    # Read before activating: https://blog.g3rt.nl/nginx-add_header-pitfall.html
-#   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-#   add_header X-Frame-Options SAMEORIGIN;
-#   add_header X-Content-Type-Options nosniff;
+    # Activate it only in case of stable https service.
+#   more_set_headers "Strict-Transport-Security: $hsts_header_$PAR_PROXYPORT";
+#   ssl_stapling on;
+#   ssl_stapling_verify on;
 
 }
 
-# That's all.
\ No newline at end of file
+# That's all.