diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf
index 5bdfa19..045f051 100644
--- a/etc/nginx/conf.d/default.conf
+++ b/etc/nginx/conf.d/default.conf
@@ -9,6 +9,14 @@ ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-EC
 ssl_prefer_server_ciphers on;
 ssl_conf_command Options PrioritizeChaCha;
 
+# Use strong ciphers for proxies
+proxy_ssl_verify on;
+proxy_ssl_server_name on;
+proxy_ssl_session_reuse on;
+proxy_ssl_protocols TLSv1.2 TLSv1.3;
+proxy_ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
+proxy_ssl_conf_command Options PrioritizeChaCha;
+
 ## Configure ssl session cache
 ## Improves performance but we don't wanna keep this forever
 ## Session ticket creation and rotation is handled by GrapheneOS's scripts:
@@ -22,11 +30,6 @@ ssl_session_ticket_key session-ticket-keys/3.key;
 ssl_session_ticket_key session-ticket-keys/2.key;
 ssl_session_ticket_key session-ticket-keys/1.key;
 
-## Enable HSTS header
-
-proxy_hide_header Strict-Transport-Security;
-add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-
 ## The following settings need to be declared manually per vhost:
 ## ssl_certificate
 ## ssl_certificate_key