diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf
index 072744f..073d69e 100644
--- a/etc/nginx/conf.d/default.conf
+++ b/etc/nginx/conf.d/default.conf
@@ -36,6 +36,9 @@ ssl_session_ticket_key session-ticket-keys/1.key;
 ## ssl_trusted_certificate
 ## ssl_stapling_file
 
+# Make sure ssl early data is off - replay attack mitigation
+ssl_early_data off;
+
 # Cookie flags
 proxy_cookie_flags ~ secure;
 
diff --git a/etc/nginx/snippets/proxy.conf b/etc/nginx/snippets/proxy.conf
index 2ea7ce3..379d5e2 100644
--- a/etc/nginx/snippets/proxy.conf
+++ b/etc/nginx/snippets/proxy.conf
@@ -4,7 +4,7 @@
 # Force http 1.1, anything not supporting it shouldn't be used
 proxy_http_version 1.1;
 
-# Replay attack mitigation for early data
+# Signal to upstream whether ssl_early_data is used
 proxy_set_header Early-Data $ssl_early_data;
 
 # Restore visitor IP