diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 4de2c33ad7..2d05286071 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -18,6 +18,17 @@ Changed
 
   Contributed by @Kami.
 
+* Default nginx config (``conf/nginx/st2.conf``) which is used by the installer and Docker
+  images has been updated to only support TLS v1.2 (support for TLS v1.0 and v1.1 has been
+  removed). #5183
+
+  Contributed by @Kami and @shital.
+
+* Added web header settings for additional security hardening to nginx.conf: X-Frame-Options,
+  Strict-Transport-Security, X-XSS-Protection and server-tokens. #5183
+
+  Contributed by @shital.
+
 3.4.0 - March 02, 2021
 ----------------------
 
diff --git a/conf/nginx/st2.conf b/conf/nginx/st2.conf
index 2d9b8b925c..4dca0e4c9a 100644
--- a/conf/nginx/st2.conf
+++ b/conf/nginx/st2.conf
@@ -24,12 +24,12 @@ server {
 
 server {
   listen       *:443 ssl;
-
+  server_tokens off;
   ssl_certificate           /etc/ssl/st2/st2.crt;
   ssl_certificate_key       /etc/ssl/st2/st2.key;
   ssl_session_cache         shared:SSL:10m;
   ssl_session_timeout       5m;
-  ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
+  ssl_protocols             TLSv1.2;
   ssl_ciphers               EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
   ssl_prefer_server_ciphers on;
 
@@ -40,6 +40,9 @@ server {
 
   add_header              Front-End-Https on;
   add_header              X-Content-Type-Options nosniff;
+  add_header              X-Frame-Options DENY always;
+  add_header              Strict-Transport-Security "max-age=3153600;includeSubDomains";
+  add_header              X-XSS-Protection "1; mode=block";
 
   location @apiError {
     add_header Content-Type application/json always;
@@ -50,7 +53,7 @@ server {
     error_page 502 = @apiError;
 
     rewrite ^/api/(.*)  /$1 break;
-
+    
     proxy_pass            http://127.0.0.1:9101/;
     proxy_read_timeout    90;
     proxy_connect_timeout 90;
@@ -91,7 +94,7 @@ server {
     sendfile on;
     tcp_nopush on;
     tcp_nodelay on;
-
+    
     # Disable buffering and chunked encoding.
     # In the stream case we want to receive the whole payload at once, we don't
     # want multiple chunks.
@@ -110,7 +113,7 @@ server {
     error_page 502 = @authError;
 
     rewrite ^/auth/(.*)  /$1 break;
-
+    
     proxy_pass            http://127.0.0.1:9100/;
     proxy_read_timeout    90;
     proxy_connect_timeout 90;