diff --git a/etc/nginx/sites-available/mastodon.conf b/etc/nginx/sites-available/mastodon.conf
index 6d480aa..87b9759 100644
--- a/etc/nginx/sites-available/mastodon.conf
+++ b/etc/nginx/sites-available/mastodon.conf
@@ -1,4 +1,4 @@
-# modified from https://github.com/mastodon/mastodon/blob/v4.0.2/dist/nginx.conf
+# heavily modified from https://github.com/mastodon/mastodon/blob/v4.0.2/dist/nginx.conf
 
 map $http_upgrade $connection_upgrade {
   default upgrade;
@@ -15,25 +15,14 @@ upstream streaming {
 
 proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;
 
-server {
-  listen [::]:80;
-  listen 80;
-
-  server_name fediverse.jarv.is;
-
-  if ($host = fediverse.jarv.is) {
-    return 301 https://$host$request_uri;
-  } # managed by Certbot
-
-  return 403;
-}
-
 server {
   listen [::]:443 http2 ssl ipv6only=on;
   listen 443 http2 ssl;
 
   server_name fediverse.jarv.is;
 
+  root /home/mastodon/live/public;
+
   ssl_certificate /etc/letsencrypt/live/fediverse.jarv.is/fullchain.pem; # managed by Certbot
   ssl_certificate_key /etc/letsencrypt/live/fediverse.jarv.is/privkey.pem; # managed by Certbot
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
@@ -44,11 +33,9 @@ server {
   ssl_stapling_verify on;
   ssl_trusted_certificate /etc/letsencrypt/live/fediverse.jarv.is/chain.pem;
 
-  keepalive_timeout    70;
-  sendfile             on;
-  client_max_body_size 80m;
-
-  root /home/mastodon/live/public;
+  keepalive_timeout 20;
+  sendfile on;
+  client_max_body_size 100m;
 
   gzip on;
   gzip_disable "msie6";
@@ -81,28 +68,34 @@ server {
     return 302 https://grafana.pipe.fail/public-dashboards/b5ca7a7c8e844f90b0973d2ab02bad0a;
   }
 
+  # sends most paths to the backend proxy and ignores the location blocks below, except if
+  # the file exists in /home/mastodon/live
   location / {
+    add_header Strict-Transport-Security "max-age=63072000" always;
     try_files $uri @proxy;
   }
 
-  location = /sw.js {
-    add_header Cache-Control "public, max-age=604800, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000" always;
-    try_files $uri =404;
-  }
-
+  # condensed version of original Mastodon nginx.conf
   location ~ ^/(assets|avatars|emoji|headers|packs|shortcuts|sounds)/ {
-    add_header Cache-Control "public, max-age=2419200, must-revalidate";
+    add_header Cache-Control "public, max-age=2419200, must-revalidate"; # 28 days
     add_header Strict-Transport-Security "max-age=63072000" always;
     try_files $uri =404;
   }
 
+  # media uploads & cache (irrelevant if offloading to S3)
   location ~ ^/system/ {
-    add_header Cache-Control "public, max-age=2419200, immutable";
+    add_header Cache-Control "public, max-age=2419200, immutable"; # 28 days
     add_header Strict-Transport-Security "max-age=63072000" always;
     try_files $uri =404;
   }
 
+  # static files in root of /public (sw.js, favicon.ico, etc) that aren't covered above
+  location ~ ^/(.*\.(js|css|png|gif|jpg|txt|ico))$ {
+    add_header Cache-Control "public, max-age=604800, must-revalidate"; # 7 days
+    add_header Strict-Transport-Security "max-age=63072000" always;
+    try_files $uri @proxy;
+  }
+
   location ^~ /api/v1/streaming {
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
@@ -117,9 +110,12 @@ server {
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection $connection_upgrade;
 
+    # security headers
+    proxy_hide_header Strict-Transport-Security;
+    proxy_hide_header X-Powered-By;
     add_header Strict-Transport-Security "max-age=63072000" always;
 
-    # debugging
+    # debugging headers
     add_header Via "1.1 $proxy_host" always;
 
     tcp_nodelay on;
@@ -131,7 +127,7 @@ server {
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_set_header Proxy "";
-    # remove 'Server: Mastodon' response header
+    # uncomment to allow the 'Server: Mastodon' header to override nginx's:
     # proxy_pass_header Server;
 
     proxy_pass http://backend;
@@ -146,11 +142,16 @@ server {
     proxy_cache_valid 410 24h;
     proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
 
-    # security
+    # security headers
     proxy_hide_header Referrer-Policy;
+    proxy_hide_header Strict-Transport-Security;
+    proxy_hide_header X-Powered-By;
+    proxy_hide_header X-Clacks-Overhead;
+    proxy_hide_header X-XSS-Protection;
     add_header Referrer-Policy "strict-origin" always;
+    add_header Strict-Transport-Security "max-age=63072000" always;
 
-    # debugging
+    # debugging headers
     add_header Via "1.1 $proxy_host" always;
     add_header X-Cache-Status $upstream_cache_status always;
     add_header X-Got-Milk "2%" always;
@@ -160,3 +161,16 @@ server {
 
   error_page 404 500 501 502 503 504 /500.html;
 }
+
+server {
+  listen [::]:80;
+  listen 80;
+
+  server_name fediverse.jarv.is;
+
+  if ($host = fediverse.jarv.is) {
+    return 301 https://$host$request_uri;
+  } # managed by Certbot
+
+  return 403;
+}