[trimstray]

"and most of the hardening seems questionable at best." - Don't do this, please add rationale, not bullshit.

"Some of the headers that is suggested have some implications that aren't really explained at all. Like HSTS including sub-domains." - This repo also contain "Force all connections over TLS". However, I understand your attention.

"And you don't set the `default_server` as this document suggest. `default_server` is a parameter to the `listen`-directive. The only reason the docs might work is because the first server-block defined, when no-one is defined as `default_server`, becomes the default server." - You're right, your suggestion is very well (it's also from Nginx official handbook) and rationale, thanks for this! I receive this criticism, My mistake.