nginx.conf

server {
    listen      80 default_server;
    server_name _;
    index index.php index.html;
    root /frontend/;

    error_log  /var/log/nginx/error.log;
    access_log /var/log/nginx/access.log;

    # Hide Nginx Server Version
    server_tokens off;

    # Size Limits & Buffer Overflows
    client_body_buffer_size  100K;
    client_header_buffer_size 1k;
    client_max_body_size 100k;
    large_client_header_buffers 2 1k;

    # Allow a larger response buffer
    subrequest_output_buffer_size 100k;

    # X-Frame-Options is to prevent from clickJacking attack
    add_header X-Frame-Options "SAMEORIGIN";

    # Disable content-type sniffing on some browsers.
    add_header X-Content-Type-Options "nosniff";

    # This header enables the Cross-site scripting (XSS) filter
    add_header X-XSS-Protection "1; mode=block";

    # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

    # Limit HTTP methods
    if ($request_method !~ ^(GET|HEAD|POST)$ ) {
        return 405;
    }

    # Deny access to (dot) hidden files
    location ~ /\. {
        access_log off;
        log_not_found off;
        deny all;
    }

    # Serve static assets
    location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ {
        access_log        off;
        log_not_found     off;
        expires           7d;
    }

    # Handle PHP reverse proxy
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass php:9000;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }
}