diff --git a/h5bp/ssl/policy_modern.conf b/h5bp/ssl/policy_modern.conf
new file mode 100644
index 0000000..92c9a59
--- /dev/null
+++ b/h5bp/ssl/policy_modern.conf
@@ -0,0 +1,17 @@
+# ----------------------------------------------------------------------
+# | SSL policy - Modern                                                |
+# ----------------------------------------------------------------------
+
+# For services that don't need backward compatibility, the parameters
+# below provide a higher level of security.
+#
+# (!) This policy enfore a strong SSL configuration, which may raise
+#     errors with old clients.
+#     If a more compatible profile is required, use intermediate policy.
+#
+# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
+# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
+
+ssl_protocols TLSv1.2;
+ssl_ciphers EECDH+CHACHA20:EECDH+AES;
+ssl_prefer_server_ciphers on;