--- a/contrib/provision/roles/tram-im/templates/etc/nginx/sites-available/tram-im	Sat Sep 16 22:40:16 2017 +0800
+++ b/contrib/provision/roles/tram-im/templates/etc/nginx/sites-available/tram-im	Sat Sep 16 22:43:00 2017 +0800
@@ -17,8 +17,8 @@
 server {
     server_name {{ domain }};
 
-    listen 443 ssl spdy;
-    listen [::]:443 ssl spdy;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
 
     ssl_certificate {{ ssl_cert }};
     ssl_certificate_key {{ ssl_key }};
@@ -32,15 +32,15 @@
     resolver_timeout {{ nginx_resolver_timeout }};
 
     # HSTS: 31536000 = 365 days (set to 0 to expire and allow plain HTTP)
-    add_header Strict-Transport-Security 'max-age=31536000';
+    add_header Strict-Transport-Security 'max-age=31536000' always;
 
     add_header Cache-Control private;
 
     # Various security headers not related to HTTPS
     # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
-    add_header X-Frame-Options DENY;
-    add_header X-Content-Type-Options nosniff;
-    add_header X-XSS-Protection '1; mode=block';
+    add_header X-Frame-Options DENY always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-XSS-Protection '1; mode=block' always;
 
     access_log /var/log/nginx/{{ domain }}.access.log;
     error_log /var/log/nginx/{{ domain }}.error.log;