diff --git a/reverse/Dockerfile b/reverse/Dockerfile
index 8269514..07989c9 100644
--- a/reverse/Dockerfile
+++ b/reverse/Dockerfile
@@ -110,6 +110,9 @@ RUN echo "@commuedge http://nl.alpinelinux.org/alpine/edge/community" >> /etc/ap
 COPY nginx.conf /etc/nginx/conf/nginx.conf
 COPY run.sh /usr/local/bin/run.sh
 COPY ngxpasswd /usr/local/bin/ngxpasswd
+COPY ssl_params_d.conf /conf.d/ssl_params_d.conf
+COPY headers_params_d.conf /conf.d/headers_params_d.conf
+COPY proxy_params_d.conf /conf.d/proxy_params_d.conf
 
 RUN chmod +x /usr/local/bin/*
 
diff --git a/reverse/README.md b/reverse/README.md
index 53cc266..14964fc 100644
--- a/reverse/README.md
+++ b/reverse/README.md
@@ -1,6 +1,7 @@
 ## wonderfall/reverse
 
 ![](https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/115px-Nginx_logo.svg.png)
+
 ![](https://upload.wikimedia.org/wikipedia/commons/thumb/a/a1/OpenSSL_logo.png/220px-OpenSSL_logo.png)
 
 #### What is this?
@@ -38,3 +39,4 @@ It is required to chown your certs files with the right uid/pid and change the `
 
 #### How to use it?
 https://github.com/hardware/mailserver/wiki/Reverse-proxy-configuration
+Some configuration files located in `/conf.d` are already provided, you can use them with the `include` directive. `ssl_params_d.conf` and `headers_params_d.conf` provide strong security, please check before or make your own configuration files...
diff --git a/reverse/headers_params_d.conf b/reverse/headers_params_d.conf
new file mode 100644
index 0000000..1f3c409
--- /dev/null
+++ b/reverse/headers_params_d.conf
@@ -0,0 +1,4 @@
+add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
+add_header X-Frame-Options SAMEORIGIN;
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
diff --git a/reverse/proxy_params_d.conf b/reverse/proxy_params_d.conf
new file mode 100644
index 0000000..6f9827e
--- /dev/null
+++ b/reverse/proxy_params_d.conf
@@ -0,0 +1,6 @@
+proxy_set_header        Host                 $host;
+proxy_set_header        X-Real-IP            $remote_addr;
+proxy_set_header        X-Forwarded-For      $proxy_add_x_forwarded_for;
+proxy_set_header        X-Remote-Port        $remote_port;
+proxy_set_header        X-Forwarded-Proto    $scheme;
+proxy_redirect          off;
diff --git a/reverse/ssl_params_d.conf b/reverse/ssl_params_d.conf
new file mode 100644
index 0000000..d6bc9c2
--- /dev/null
+++ b/reverse/ssl_params_d.conf
@@ -0,0 +1,8 @@
+ssl_protocols TLSv1.2;
+ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:ECDHE-RSA-CHACHA20-POLY1305-D:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256”;
+ssl_prefer_server_ciphers on;
+ssl_ecdh_curve brainpoolP512r1:sect571r1:secp521r1:secp384r1;
+
+ssl_session_cache shared:SSL:10m;
+ssl_session_timeout 5m;
+ssl_session_tickets off;