diff --git a/nginx/sites-available/stats.REPLACEME.TLD.conf b/nginx/sites-available/stats.REPLACEME.TLD.conf
index e3de74f..6b079b9 100644
--- a/nginx/sites-available/stats.REPLACEME.TLD.conf
+++ b/nginx/sites-available/stats.REPLACEME.TLD.conf
@@ -1,16 +1,21 @@
-# PIWIK CONFIGURATION
+# MATOMO CONFIGURATION
 
 server {
+    listen      [::]:80;
     listen      80;
     server_name stats.REPLACEME.TLD;
-    return      301 https://stats.REPLACEME.TLD$request_uri;
+    return      301 https://$host$request_uri;
 }
 
 server {
-    listen      443 ssl;
+    listen      [::]:443 ssl http2;
+    listen      443 ssl http2;
     server_name stats.REPLACEME.TLD;
     root        /srv/http/stats.REPLACEME.TLD;
 
+    access_log  /var/log/nginx/matomo.access.log;
+    error_log   /var/log/nginx/matomo.error.log;
+
     ssl_certificate         /etc/letsencrypt/live/REPLACEME.TLD/fullchain.pem;
     ssl_certificate_key     /etc/letsencrypt/live/REPLACEME.TLD/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/REPLACEME.TLD/fullchain.pem;
@@ -31,9 +36,9 @@ server {
     ssl_stapling on;
     ssl_stapling_verify on;
 
-    # Protect against XSS and clickjacking
-    add_header X-Frame-Options "SAMEORIGIN";
-    add_header X-XSS-Protection "1; mode=block";
+    add_header Referrer-Policy origin always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
 
     # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
     add_header Strict-Transport-Security max-age=15768000;
@@ -41,29 +46,49 @@ server {
     index   index.php;
     charset utf-8;
 
-    include /etc/nginx/h5bp/basic.conf;
+    location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php {
+        include fastcgi.conf;
+        fastcgi_param HTTP_PROXY "";
+        fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
+    }
+
+    location ~* ^.+\.php$ {
+        deny all;
+        return 403;
+    }
 
     location / {
-        location ~* ^/tmp/.*\.html?$ { return 404; }
-        location ~* (?:DESIGN|(?:gpl|README|LICENSE)[^.]*|LEGALNOTICE)(?:\.txt)*$ { return 404; }
-        location ~* \.(?:bat|git|ini|sh|svn[^.]*|txt|tpl|xml)$ { return 404; }
-        try_files $uri /index.php?$query_string;
+        try_files $uri $uri/ =404;
     }
 
-    location = /favicon.ico { try_files /favicon.ico @empty; }
-    location @empty { empty_gif; }
-
-    location ~ \.php$ {
-        try_files $uri =404;
-        include fastcgi_params;
-        fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
-        fastcgi_index index.php;
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        fastcgi_intercept_errors on;
-        fastcgi_split_path_info ^(.+\.php)(.*)$;
-        fastcgi_hide_header X-Powered-By;
+    location ~ /(config|tmp|core|lang) {
+        deny all;
+        return 404;
     }
 
-    location ~* ^.+\.php$ { return 404; }
-    location = /robots.txt { return 200 "User-agent: *\nDisallow: /\n"; }
+    location ~ /\.ht {
+        deny  all;
+        return 403;
+    }
+
+    location ~ js/container_.*_preview\.js$ {
+        expires off;
+        add_header Cache-Control 'private, no-cache, no-store';
+    }
+
+    location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ {
+        allow all;
+        expires 1h;
+        add_header Pragma public;
+        add_header Cache-Control "public";
+    }
+
+    location ~ /(libs|vendor|plugins|misc/user) {
+        deny all;
+        return 403;
+    }
+
+    location ~/(.*\.md|LEGALNOTICE|LICENSE) {
+        default_type text/plain;
+    }
 }