diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index 50ef831..98122e9 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -14,6 +14,7 @@ nginx_ssl_session_cache: shared:SSL:10m
 nginx_ssl_buffer_size: 4k
 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
 nginx_ssl_protocols: TLSv1.2 TLSv1.3
+nginx_ssl_ecdh_curve: X25519:prime256v1:secp384r1
 
 # DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
 # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
diff --git a/roles/nginx/templates/https.j2 b/roles/nginx/templates/https.j2
index 8b31cf6..efd215c 100644
--- a/roles/nginx/templates/https.j2
+++ b/roles/nginx/templates/https.j2
@@ -27,6 +27,7 @@
 
     ssl_dhparam {{ nginx_ssl_dhparam }};
     ssl_protocols {{ nginx_ssl_protocols }};
+    ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
     ssl_ciphers "{{ tls_cipher_suite }}";
     ssl_prefer_server_ciphers on;