diff --git a/roles/webserver/templates/conf.d/cloud.conf.j2 b/roles/webserver/templates/conf.d/cloud.conf.j2
index 213ca00..f5e63f8 100644
--- a/roles/webserver/templates/conf.d/cloud.conf.j2
+++ b/roles/webserver/templates/conf.d/cloud.conf.j2
@@ -7,15 +7,18 @@ upstream nextcloud-notify-push {
 # Set the `immutable` cache control options only for assets with a cache busting `v` argument
 map $arg_v $asset_immutable {
     "" "";
-    default "immutable";
+    default ", immutable";
 }
 
-
 server {
     listen 80;
     listen [::]:80;
     server_name {{ nextcloud_domain_name }} www.{{ nextcloud_domain_name }};
-    # enforce https
+
+    # Prevent nginx HTTP Server Detection
+    server_tokens off;
+
+    # Enforce HTTPS
     return 301 https://$server_name$request_uri;
 }
 
@@ -32,6 +35,9 @@ server {
     # Path to the root of your installation
     root {{ nextcloud_dir }};
 
+    # Prevent nginx HTTP Server Detection
+    server_tokens off;
+
     # HSTS settings
     # WARNING: Only add the preload option once you read about
     # the consequences in https://hstspreload.org/. This option
@@ -70,20 +76,17 @@ server {
     add_header X-Robots-Tag                      "noindex, nofollow" always;
     add_header X-XSS-Protection                  "1; mode=block"     always;
 
-    # Add Alt-Svc header to negotiate HTTP/3.
-    add_header Alt-Svc 'h2=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400' always;
-    add_header x-quic 'h3' always;
-
     # Remove X-Powered-By, which is an information leak
     fastcgi_hide_header X-Powered-By;
 
-    # Add .mjs as a file extension for javascript
+    # Set .mjs and .wasm MIME types
     # Either include it in the default mime.types list
-    # or include you can include that list explicitly and add the file extension
+    # and include that list explicitly or add the file extension
     # only for Nextcloud like below:
     include mime.types;
     types {
         text/javascript js mjs;
+	application/wasm wasm;
     }
 
     # Specify how to handle directories -- specifying `/index.php$request_uri`
@@ -165,12 +168,15 @@ server {
     # Serve static files
     location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
         try_files $uri /index.php$request_uri;
-        add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+        # HTTP response headers borrowed from Nextcloud `.htaccess`
+        add_header Cache-Control                     "public, max-age=15778463$asset_immutable";
+        add_header Referrer-Policy                   "no-referrer"       always;
+        add_header X-Content-Type-Options            "nosniff"           always;
+        add_header X-Frame-Options                   "SAMEORIGIN"        always;
+        add_header X-Permitted-Cross-Domain-Policies "none"              always;
+        add_header X-Robots-Tag                      "noindex, nofollow" always;
+        add_header X-XSS-Protection                  "1; mode=block"     always;
         access_log off;     # Optional: Don't log access to assets
-
-        location ~ \.wasm$ {
-            default_type application/wasm;
-        }
     }
 
     location ~ \.woff2?$ {
@@ -196,4 +202,4 @@ server {
     location / {
         try_files $uri $uri/ /index.php$request_uri;
     }
-}
+}
\ No newline at end of file