ssl_prefer_server_ciphers

The ssl_prefer_server_ciphers directive in NGINX specifies whether the server's preferred list of cipher suites should take precedence over the client's preferences when establishing SSL/TLS connections. By default, the SSL/TLS handshake process allows the client to select the cipher suite that will be used for securing the connection based on its preferences. However, certain security policies may require the server to have the final say in which cipher suite is actually selected, especially to enforce stronger or more stable encryption methods.

When the directive is set to 'on', NGINX will ignore the client's list of supported cipher suites and will instead select the strongest one from the server's defined list for the connection. If set to 'off', the server will honor the client’s preference, which might result in weaker ciphers being used if the client prefers them. This directive is particularly useful for maintaining control over the security posture of the server by preventing clients from downgrading to less secure cipher suites during the handshake process.