diff --git a/abusesa/manifests/services.pp b/abusesa/manifests/services.pp
index 6ff6dd5..f05c959 100644
--- a/abusesa/manifests/services.pp
+++ b/abusesa/manifests/services.pp
@@ -51,6 +51,8 @@ class abusesa::services(
     content => "umask 007\n",
   }
 
+  include ssl::ciphersuites
+
   nginx::config { 'abusesa.conf':
     content => template('abusesa/services/nginx.conf.erb'),
   }
diff --git a/abusesa/templates/services/nginx.conf.erb b/abusesa/templates/services/nginx.conf.erb
index ca5b15f..5164c10 100644
--- a/abusesa/templates/services/nginx.conf.erb
+++ b/abusesa/templates/services/nginx.conf.erb
@@ -13,6 +13,12 @@ server {
     ssl_certificate_key <%= @puppet_ssldir %>/private_keys/<%= @homename %>.pem;
     ssl_client_certificate <%= @puppet_ssldir %>/certs/ca.pem;
 
+    ssl_protocols TLSv1.2;
+    ssl_ciphers <%= scope.lookupvar('ssl::ciphersuites::mozilla_modern_ciphersuites') %>;
+    ssl_prefer_server_ciphers on;
+
+    add_header Strict-Transport-Security max-age=15768000;
+
     proxy_buffering off;
 
 <% if @allow_dn -%>