diff --git a/README.md b/README.md
index 284caaf..1176042 100644
--- a/README.md
+++ b/README.md
@@ -3,12 +3,16 @@
 Online nginx configuration generator.
 
 ## Features
-* HTTPS (with [Let's Encrypt](https://letsencrypt.org) or custom certificate, [Mozilla SSL Configuration Generator](https://mozilla.github.io/server-side-tls/ssl-config-generator/))
+* HTTPS (with [Let's Encrypt](https://letsencrypt.org) or custom certificate)
 * HTTP2
+* [SSL profiles](https://mozilla.github.io/server-side-tls/ssl-config-generator/)
+* [HSTS](https://hstspreload.org)
+* force HTTPS
 * CDN
 * www / non-www
+* redirect subdomains
 * IPv4, IPv6
-* PHP (TCP, 5.x FPM, 7.0 FPM, 7.1 FPM, 7.2 FPM)
+* PHP (TCP, 5.x FPM, 7.0 FPM, 7.1 FPM, 7.2 FPM, 7.3 FPM)
 * WordPress security essentials (*including [CVE-2018-6389](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389)*)
 * pass requests to index.php
 	* *[Laravel](https://laravel.com/docs/master/deployment#nginx)*
@@ -62,3 +66,5 @@ Online nginx configuration generator.
 * [NGINX Tuning For Best Performance](https://gist.github.com/denji/8359866)
 * [Hardening Your HTTP Security Headers](https://www.keycdn.com/blog/http-security-headers/)
 * [h5bp/server-configs-nginx](https://github.com/h5bp/server-configs-nginx)
+* [Diffie-Hellman DSA-like parameters](https://security.stackexchange.com/questions/95178/diffie-hellman-parameters-still-calculating-after-24-hours/95184#95184)
+* [hstspreload.org](https://hstspreload.org)
diff --git a/public/assets/js/app.js b/public/assets/js/app.js
index 0cbf4de..7e882ec 100644
--- a/public/assets/js/app.js
+++ b/public/assets/js/app.js
@@ -39,6 +39,8 @@
 			force_https:		true,
 
 			cert_type:			'letsencrypt',
+			ssl_profile:		'intermediate',
+			hsts:				true,
 			email:				'',
 			ssl_certificate:	'',
 			ssl_certificate_key:'',
@@ -100,6 +102,21 @@
 
 		$scope.gzipTypes = 'text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml';
 
+		$scope.sslProfiles = {
+			modern: {
+				protocols: 'TLSv1.2',
+				ciphers: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256',
+			},
+			intermediate: {
+				protocols: 'TLSv1 TLSv1.1 TLSv1.2',
+				ciphers: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS',
+			},
+			old: {
+				protocols: 'SSLv3 TLSv1 TLSv1.1 TLSv1.2',
+				ciphers: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP',
+			},
+		};
+
 		$scope.clipboardCopy = undefined;
 
 
@@ -293,6 +310,22 @@
 			return $scope.isHTTPS() && $scope.data.cert_type === 'custom';
 		};
 
+		$scope.isSSLProfileModern = function() {
+			return $scope.isHTTPS() && $scope.data.ssl_profile === 'modern';
+		};
+
+		$scope.isSSLProfileIntermediate = function() {
+			return $scope.isHTTPS() && $scope.data.ssl_profile === 'intermediate';
+		};
+
+		$scope.isSSLProfileOld = function() {
+			return $scope.isHTTPS() && $scope.data.ssl_profile === 'old';
+		};
+
+		$scope.isHSTS = function() {
+			return $scope.isHTTPS() && $scope.data.hsts;
+		};
+
 		$scope.isNonWWW = function() {
 			return $scope.data.non_www;
 		};
diff --git a/public/index.html b/public/index.html
index 63b7a46..393bbd2 100644
--- a/public/index.html
+++ b/public/index.html
@@ -135,6 +135,35 @@
 										</div>
 									</div>
 								</div>
+								<div class="form-subgroup pt-2" ng-if="isHTTPS()" ng-cloak>
+									SSL profile:
+									<div class="form-subgroup">
+										<div class="form-check">
+											<input class="form-check-input" type="radio" id="modern" ng-model="data.ssl_profile" value="modern">
+											<label class="form-check-label" for="modern">
+												<span tooltips tooltip-template="Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8">modern</span>
+											</label>
+										</div>
+										<div class="form-check">
+											<input class="form-check-input" type="radio" id="intermediate" ng-model="data.ssl_profile" value="intermediate">
+											<label class="form-check-label" for="intermediate">
+												<span tooltips tooltip-template="Oldest compatible clients: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7">intermediate</span>
+											</label>
+										</div>
+										<div class="form-check">
+											<input class="form-check-input" type="radio" id="old" ng-model="data.ssl_profile" value="old">
+											<label class="form-check-label" for="old">
+												<span tooltips tooltip-template="Oldest compatible clients: Windows XP IE6, Java 6">old</span>
+											</label>
+										</div>
+										<div class="form-check">
+											<input class="form-check-input" type="checkbox" id="hsts" ng-model="data.hsts">
+											<label class="form-check-label" for="hsts">
+												<span tooltips tooltip-template="HTTP Strict Transport Security is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking.">HSTS</span>
+											</label>
+										</div>
+									</div>
+								</div>
 								<div class="mt-2">
 									<div class="form-group">
 										<div class="input-group input-group-sm">
@@ -359,7 +388,7 @@
 					<div class="col-md-6 col-lg-7 files">
 						<div class="row grid">
 							<div class="grid-sizer col-xl-6"></div>
-							<div ng-if="isHTTPS() || isWordPress()" class="grid-item col-xl-12" ng-cloak>
+							<div ng-if="(isHTTPS() && (isCertLetsEncrypt() || !isSSLProfileModern())) || isWordPress()" class="grid-item col-xl-12" ng-cloak>
 								<div class="commands">
 									<pre><code class="hljs bash" ng-include="'templates/commands.html?v=COMMIT_HASH'"></code></pre>
 								</div>
diff --git a/public/templates/commands.html b/public/templates/commands.html
index d21ff2c..46bdf12 100644
--- a/public/templates/commands.html
+++ b/public/templates/commands.html
@@ -1,15 +1,16 @@
 <!--
-✔ HTTPS --><span ng-if="isHTTPS()"><!--
+✔ HTTPS --><span ng-if="isHTTPS() && !isSSLProfileModern()"><!--
 
 --><span class="hljs-comment"># <strong>HTTPS</strong>: create Diffie-Hellman keys</span>
-<span class="hljs-section">openssl dhparam</span> <span class="hljs-attribute">-dsaparam</span> <span class="hljs-attribute">-out</span> /etc/nginx/dhparam.pem <span class="hljs-number">2048</span><!--
+<span class="hljs-section">openssl dhparam</span> <span class="hljs-attribute">-dsaparam</span> <span class="hljs-attribute">-out</span> /etc/nginx/dhparam.pem <span class="hljs-number">{{ isSSLProfileOld() ? 1024 : 2048 }}</span><!--
 
---></span><!--
+--><span ng-if="isCertLetsEncrypt()">
+
+</span></span><!--
 
 
-✔ Let's Encrypt --><span ng-if="isCertLetsEncrypt()">
-
-<span class="hljs-comment"># <strong>HTTPS</strong>: create ACME-challenge common directory</span>
+✔ Let's Encrypt --><span ng-if="isCertLetsEncrypt()"><!--
+--><span class="hljs-comment"># <strong>HTTPS</strong>: create ACME-challenge common directory</span>
 <span class="hljs-section">sudo</span> <span class="hljs-attribute">-u</span> {{ data.user }} <span class="hljs-section">sh</span> <span class="hljs-attribute">-c</span> "<span class="hljs-section">mkdir</span> <span class="hljs-attribute">-p</span> /var/www/_letsencrypt"
 
 <span class="hljs-comment"># <strong>HTTPS</strong>: certbot (obtain certificates)<br># disable before first run: <strong>ssl_certificate</strong>, <strong>ssl_certificate_key</strong>, <strong>ssl_trusted_certificate</strong></span>
diff --git a/public/templates/conf/_ssl.conf.html b/public/templates/conf/_ssl.conf.html
index 8a2d73a..0c4fa9d 100644
--- a/public/templates/conf/_ssl.conf.html
+++ b/public/templates/conf/_ssl.conf.html
@@ -1,18 +1,21 @@
-# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.1.0g&hsts=yes&profile=intermediate
 ssl_session_timeout 1d;
 ssl_session_cache shared:SSL:50m;
-ssl_session_tickets off;
+ssl_session_tickets off;<!--
+
+✘ SSLProfileModern --><span ng-if="!isSSLProfileModern()">
 
 # Diffie-Hellman parameter for DHE ciphersuites
-ssl_dhparam /etc/nginx/dhparam.pem;
+ssl_dhparam /etc/nginx/dhparam.pem;</span>
 
-# intermediate configuration
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
-ssl_prefer_server_ciphers on;
+# {{ data.ssl_profile }} configuration
+ssl_protocols {{ sslProfiles[ data.ssl_profile ].protocols }};
+ssl_ciphers {{ sslProfiles[ data.ssl_profile ].ciphers }};
+ssl_prefer_server_ciphers on;<!--
 
-# HSTS
-add_header Strict-Transport-Security "max-age=15768000" always;
+✔ HSTS--><span ng-if="isHSTS()">
+
+# HSTS (1 year, preload)
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;</span>
 
 # OCSP Stapling
 ssl_stapling on;