SSL/TLS Security: Modern Configuration for A+ Rating

Introduction

Correct SSL/TLS configuration protects data in transit. This guide helps you reach an A+ rating on SSL Labs.

1. Disable Old Protocols

In Nginx: ssl_protocols TLSv1.2 TLSv1.3; – remove SSLv3, TLSv1.0, TLSv1.1.

2. Strong Cipher Suites

Use modern ECDHE ciphers with forward secrecy: ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:....

3. Enable HSTS

Add header: Strict-Transport-Security "max-age=31536000; includeSubDomains; preload".

4. OCSP Stapling

ssl_stapling on; ssl_stapling_verify on; – improves handshake speed.

5. Strong DH Parameters

Generate dhparam.pem with 4096 bits and reference it.

6. Certificate Transparency

Ensure your certificate includes SCTs (Let’s Encrypt does automatically).

7. Additional Security Headers

X-Frame-Options: DENY, X-Content-Type-Options: nosniff, X-XSS-Protection: 1; mode=block.

8. Perfect Forward Secrecy

All modern cipher suites support PFS. Verify with SSL Labs.

9. Short‑Lived Certificates

Use Let’s Encrypt (90 days) and auto‑renew via certbot.

10. Disable Session Tickets

ssl_session_tickets off; unless you rotate ticket keys frequently.

11. CAA DNS Records

Add CAA 0 issue "letsencrypt.org" to restrict which CAs can issue certificates.

12. Test with SSL Labs

Run ssllabs.com/ssltest/ and aim for A+.

13. Automate Renewal

Use certbot renew --deploy-hook "systemctl reload nginx".

14. Monitor Expiry

Set up UptimeRobot or Prometheus alert for certificate expiration.

15. Modern Nginx Template

Use Mozilla SSL Configuration Generator to get a ready‑to‑use config.

16. HTTP/2 and ALPN

Enable HTTP/2 with listen 443 ssl http2 (requires ALPN).

17. OCSP Must‑Staple

Optional but adds extra assurance. Request certificates with the OCSP Must-Staple extension.

18. Remove Weak Ciphers

Avoid CBC ciphers, RC4, and 3DES. Use only AEAD ciphers.

19. Client Certificates (mTLS)

For internal APIs, require client certificates (ssl_verify_client optional_no_ca).

20. Regular Re‑audit

Protocols and cipher recommendations evolve; re‑test every 6 months.

Conclusion

Implement TLS 1.3, HSTS, and strong ciphers. Test with SSL Labs to get A+.

# SSL # TLS # Security # HTTPS