diff --git a/deploy/nginx.conf b/deploy/nginx.conf
index 8d2168a..0687088 100644
--- a/deploy/nginx.conf
+++ b/deploy/nginx.conf
@@ -1,37 +1,112 @@
 # The Door — nginx config for alexanderwhitestone.com
 # Place at /etc/nginx/sites-available/the-door
 #
-# IMPORTANT: Also include deploy/rate-limit.conf in your main
-# /etc/nginx/nginx.conf http block:
-#   include /etc/nginx/sites-available/the-door/deploy/rate-limit.conf;
+# Crisis front door: single URL, no login, always open.
+# Static files + reverse proxy to Hermes Gateway on :8644
+#
+# Deploy:
+#   cp nginx.conf /etc/nginx/sites-available/the-door
+#   ln -sf /etc/nginx/sites-available/the-door /etc/nginx/sites-enabled/
+#   rm -f /etc/nginx/sites-enabled/default
+#   nginx -t && systemctl reload nginx
 
+# HTTP → HTTPS redirect
 server {
     listen 80;
+    listen [::]:80;
     server_name alexanderwhitestone.com www.alexanderwhitestone.com;
-    return 301 https://$server_name$request_uri;
+
+    # Allow certbot ACME challenge even without SSL
+    location /.well-known/acme-challenge/ {
+        root /var/www/html;
+        allow all;
+    }
+
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
 }
 
+# Main HTTPS server
 server {
     listen 443 ssl http2;
+    listen [::]:443 ssl http2;
     server_name alexanderwhitestone.com www.alexanderwhitestone.com;
 
-    ssl_certificate /etc/letsencrypt/live/alexanderwhitestone.com/fullchain.pem;
+    # ================================================================
+    # SSL Configuration
+    # ================================================================
+
+    ssl_certificate     /etc/letsencrypt/live/alexanderwhitestone.com/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/alexanderwhitestone.com/privkey.pem;
 
+    # Modern SSL settings
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 1d;
+    ssl_session_tickets off;
+
+    # OCSP Stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 1.1.1.1 8.8.8.8 valid=300s;
+    resolver_timeout 5s;
+
+    # ================================================================
+    # Site Root
+    # ================================================================
+
     root /var/www/the-door;
     index index.html;
 
-    # Static files
+    # ================================================================
+    # Compression
+    # ================================================================
+
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_min_length 256;
+    gzip_types
+        text/plain
+        text/css
+        text/javascript
+        application/javascript
+        application/json
+        application/manifest+json
+        image/svg+xml;
+
+    # ================================================================
+    # Static files — the crisis front door
+    # ================================================================
+
     location / {
         try_files $uri $uri/ /index.html;
-        add_header X-Content-Type-Options nosniff;
-        add_header X-Frame-Options DENY;
-        add_header X-XSS-Protection "1; mode=block";
-        add_header Referrer-Policy "no-referrer";
-        add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; connect-src 'self'";
+
+        # Security headers
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Frame-Options "DENY" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header Referrer-Policy "no-referrer" always;
+        add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; connect-src 'self'; img-src 'self' data:;" always;
+        add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
+
+        # Cache static assets
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+            expires 7d;
+            add_header Cache-Control "public, immutable";
+            add_header X-Content-Type-Options "nosniff" always;
+        }
     }
 
-    # API proxy to Hermes
+    # ================================================================
+    # API proxy — /api/* → Hermes Gateway :8644
+    # ================================================================
+
     location /api/ {
         proxy_pass http://127.0.0.1:8644/;
         proxy_http_version 1.1;
@@ -41,16 +116,21 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
 
         # CORS — allow alexanderwhitestone.com origins
-        add_header Access-Control-Allow-Origin "https://alexanderwhitestone.com" always;
+        set $cors_origin "";
+        if ($http_origin ~* "^https://(www\.)?alexanderwhitestone\.com$") {
+            set $cors_origin $http_origin;
+        }
+        add_header Access-Control-Allow-Origin "$cors_origin" always;
         add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
         add_header Access-Control-Allow-Headers "Authorization, Content-Type" always;
+        add_header Access-Control-Allow-Credentials "true" always;
 
         # Handle OPTIONS preflight
         if ($request_method = OPTIONS) {
-            add_header Access-Control-Allow-Origin "https://alexanderwhitestone.com" always;
-            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
-            add_header Access-Control-Allow-Headers "Authorization, Content-Type" always;
-            add_header Access-Control-Max-Age 86400 always;
+            add_header Access-Control-Allow-Origin "$cors_origin";
+            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
+            add_header Access-Control-Allow-Headers "Authorization, Content-Type";
+            add_header Access-Control-Max-Age 86400;
             return 204;
         }
 
@@ -62,13 +142,27 @@ server {
         proxy_read_timeout 300s;
 
         # Rate limiting — 10 req/min per IP, burst of 5
-        # Zone must be defined in nginx http block — see deploy/rate-limit.conf
+        # Zone defined in nginx http block — see deploy/rate-limit.conf
         limit_req zone=the_door_api burst=5 nodelay;
         limit_req_status 429;
     }
 
-    # Health check
-    location /health {
+    # ================================================================
+    # Health check — passthrough to Hermes
+    # ================================================================
+
+    location = /health {
         proxy_pass http://127.0.0.1:8644/health;
+        proxy_http_version 1.1;
+        access_log off;
+    }
+
+    # ================================================================
+    # Block dotfiles (except .well-known)
+    # ================================================================
+
+    location ~ /\.(?!well-known) {
+        deny all;
+        return 404;
     }
 }