diff --git a/roles/nginx/defaults/main.json b/roles/nginx/defaults/main.json
index 912c519..4edfc40 100644
--- a/roles/nginx/defaults/main.json
+++ b/roles/nginx/defaults/main.json
@@ -1,4 +1,4 @@
 {
 	"var_nginx_auto_reload_interval": null,
-	"var_nginx_dhparam_size": 2048
+	"var_nginx_improved_security": false
 }
diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json
index 1edc2e2..46f353c 100644
--- a/roles/nginx/tasks/main.json
+++ b/roles/nginx/tasks/main.json
@@ -13,8 +13,9 @@
 	{
 		"name": "generate dhparams file",
 		"become": true,
+		"when": "var_nginx_improved_security",
 		"ansible.builtin.command": {
-			"cmd": "openssl dhparam -out /etc/nginx/dhparam {{var_nginx_dhparam_size | string}}"
+			"cmd": "openssl dhparam -out /etc/nginx/dhparam 4096"
 		},
 		"args": {
 			"creates": "/etc/nginx/dhparam"
@@ -22,6 +23,7 @@
 	},
 	{
 		"name": "place hardening config",
+		"when": "var_nginx_improved_security",
 		"become": true,
 		"ansible.builtin.copy": {
 			"src": "ssl-hardening.conf",