+SSLCipherSuite HIGH:!aNULL:!MD5:!3DES:!CAMELLIA128:!AES128:!RSA
+SSLHonorCipherOrder on
+SSLCompression off
+SSLSessionTickets off
+
+# Use this command to generate 4096 DH parameters (it will take long time):
+# openssl dhparam -out /etc//httpd/ssl/dhparams.pem 4096
+# When finished, uncomment line below
+#SSLOpenSSLConfCmd DHParameters /etc/httpd/ssl/dhparams.pem
+
+SSLOpenSSLConfCmd ECDHParameters secp384r1
+SSLOpenSSLConfCmd Curves secp521r1:secp384r1
+
+Header always set Strict-Transport-Security max-age=31556952;includeSubDomains
+Header always set X-Frame-Options SAMEORIGIN
+Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
+Header always set X-Content-Type-Options nosnif
+
+# OCSP Stapling
+SSLUseStapling on
+SSLStaplingResponderTimeout 5
+SSLStaplingReturnResponderErrors off
+SSLStaplingCache shmcb:/var/cache/httpd/ocsp(128000)
+
+# Whether to allow non-SNI clients to access a name-based virtual host.
+#SSLStrictSNIVHostCheck on
+
+##
+## SSL Virtual Host Context
+##
+
+<VirtualHost _default_:443>
+# SSL Engine Switch:
+# Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+# Enable, if you have real ssl cert and want to cache OCSP
+# https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
+SSLUseStapling off