diff --git a/nginx/Dockerfile b/nginx/Dockerfile
index 134a128..fa74821 100644
--- a/nginx/Dockerfile
+++ b/nginx/Dockerfile
@@ -3,8 +3,8 @@ MAINTAINER Yaltik - Fabien Bourgeois <fabien@yaltik.com>
 
 # Default variables
 ENV NGINX_HOST localhost 127.0.0.1
-ENV NGINX_PORT 80
-ENV NGINX_SSL_PORT 443
+ENV NGINX_PORT 8080
+ENV NGINX_SSL_PORT 8443
 
 # Create sensible CERTS
 RUN mkdir /etc/nginx/certs
@@ -19,4 +19,12 @@ COPY root.conf /etc/nginx/templates/
 # Dot not daemonize nginx
 RUN echo 'daemon off;' >> /etc/nginx/nginx.conf
 
+# nginx user (no root)
+RUN touch /var/run/nginx.pid && \
+  chown -R nginx:nginx /var/run/nginx.pid && \
+  chown -R nginx:nginx /var/cache/nginx && \
+  chown -R nginx:nginx /etc/nginx/
+
+USER nginx
+
 CMD bash /launch.sh
diff --git a/nginx/root.conf b/nginx/root.conf
index 26ec25c..f7c6379 100644
--- a/nginx/root.conf
+++ b/nginx/root.conf
@@ -4,19 +4,30 @@ server {
     server_name ${NGINX_HOST};
     ssl_certificate /etc/nginx/certs/req.pem;
     ssl_certificate_key /etc/nginx/certs/cert.key;
-    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;  # don’t use SSLv3 ref: POODLE
-    ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; # Logjam and co
-    ssl_prefer_server_ciphers on; # Logjam
+
+    ssl_protocols  TLSv1.2 TLSv1.3;  # don’t use SSLv3 ref: POODLE, nor TLSv1 / TLSv1.1
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
     ssl_dhparam /etc/nginx/certs/dhparams.pem; # Logjam
-    ssl_session_cache shared:TLS:10m;
+
+    ssl_session_timeout 1d;
+    ssl_session_tickets off;
+    ssl_session_cache shared:TLS:10m; # About 40k sessions
+
     # OCSP stapling
     ssl_stapling on;
     ssl_stapling_verify on;
-    resolver 8.8.8.8;
     # Set HSTS to 365 days
-    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
+    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains' always;
 
-    client_max_body_size 200M;
+    # resolver 127.0.0.1;
+
+    # DDoS
+    client_body_buffer_size 1K;
+    client_header_buffer_size 1k;
+    client_max_body_size 1k;
+    large_client_header_buffers 2 1k;
 
     location / {
         root   /var/www/html;