diff --git a/ansible/roles/http/files/nginx/nginx.conf b/ansible/roles/http/files/nginx/nginx.conf
index 6752ac7..e97d81f 100644
--- a/ansible/roles/http/files/nginx/nginx.conf
+++ b/ansible/roles/http/files/nginx/nginx.conf
@@ -34,11 +34,6 @@ http {
   # client_max_body_size        2k;
   # large_client_header_buffers 2 1k;
 
-  add_header X-Frame-Options SAMEORIGIN;
-  add_header X-Content-Type-Options nosniff;
-  add_header X-XSS-Protection "1; mode=block";
-  add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com; img-src 'self' data: https://www.google-analytics.com; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'none'; object-src 'none'";
-
   limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
 
   include /etc/nginx/sites-enabled/*.conf;
diff --git a/ansible/roles/http/tasks/https.yml b/ansible/roles/http/tasks/https.yml
index f5d8637..567e44f 100644
--- a/ansible/roles/http/tasks/https.yml
+++ b/ansible/roles/http/tasks/https.yml
@@ -7,6 +7,7 @@
     mode: 0644
   with_items:
     - "{{ ci_server_name }}.https.conf"
+  notify: restart_nginx
   tags: https
 
 - name: enable desired nginx https sites
@@ -18,5 +19,4 @@
   with_items:
     - "{{ ci_server_name }}.https.conf"
   notify: restart_nginx
-  when: stat_result.stat.exists
   tags: https
diff --git a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 b/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
index debeef6..ac93ae5 100644
--- a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
@@ -7,38 +7,42 @@ server {
   listen [::]:443 ssl http2;
   server_name {{ ci_server_name }};
 
-  add_header              Strict-Transport-Security max-age=6307200;
-  add_header              Allow "GET, POST, HEAD" always;
-
-  #limit_except GET POST { deny all; }
-
   ssl_certificate         /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
   ssl_certificate_key     /etc/letsencrypt/live/{{ ci_server_name }}/privkey.pem;
   ssl_trusted_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
   ssl_dhparam             /etc/ssl/certs/dhparam.pem;
 
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 1d;
-  ssl_session_tickets off;
-  ssl_stapling on;
-  ssl_stapling_verify on;
-
-  ssl_protocols TLSv1.2 TLSv1.3;
-  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_ciphers               ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
   ssl_prefer_server_ciphers off;
+  ssl_protocols             TLSv1.2 TLSv1.3;
+  ssl_session_cache         shared:SSL:10m;
+  ssl_session_tickets       off;
+  ssl_session_timeout       1d;
+  ssl_stapling              on;
+  ssl_stapling_verify       on;
 
   location / {
     modsecurity on;
     modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
 
+    add_header Allow                     "GET, POST, HEAD"                                                                                                                                                                        always;
+    add_header Content-Security-Policy   "default-src 'self'; img-src 'self' https://*.githubusercontent.com; frame-ancestors 'self'; base-uri 'none',base-uri 'self'; form-action 'self'" always;
+    add_header Referrer-Policy           "same-origin"                                                                                                                                                                            always;
+    add_header Strict-Transport-Security "max-age=630720000; includeSubDomains"                                                                                                                                                   always;
+    add_header X-Content-Type-Options    "nosniff"                                                                                                                                                                                always;
+
+    # Sent from upstream:
+    # add_header X-Frame-Options           "SAMEORIGIN";
+    # add_header X-XSS-Protection          "1; mode=block";
+
+    proxy_set_header Host              $http_host;
     proxy_set_header X-Forwarded-For   $remote_addr;
     proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header Host              $http_host;
 
+    proxy_buffering    off;
+    proxy_http_version 1.1;
     proxy_pass         http://drone;
     proxy_redirect     off;
-    proxy_http_version 1.1;
-    proxy_buffering    off;
 
     chunked_transfer_encoding off;
   }
diff --git a/ansible/roles/ssl/tasks/certbot.yml b/ansible/roles/ssl/tasks/certbot.yml
index fa67f71..e5c8ce6 100644
--- a/ansible/roles/ssl/tasks/certbot.yml
+++ b/ansible/roles/ssl/tasks/certbot.yml
@@ -16,10 +16,3 @@
   args:
     creates: "/etc/letsencrypt/live/{{ ci_server_name }}"
   tags: ssl
-
-- name: check if certbot certificate was created
-  become: true
-  stat:
-    path: "/etc/letsencrypt/live/{{ ci_server_name }}"
-  register: stat_result
-  tags: ssl