After setting up codemichael.net I’ve been doing some tweaking here and there; one of the things I wanted to do was get an A+ rating from SSL Labs. Turns out it’s pretty easy to do if you’ve only got Nginx as your only front end.
I was looking at enabling http/2 and I stumbled upon a very useful guide on Digital Ocean that included some security benefits. It specifically mentions at the bottom that if you do configuration right you’ll end up with and A+, but I ended up tweaking a couple of extra items based on the recommendations on the cipherli.st.
ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 resolver 18.104.22.168 22.214.171.124 valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff;
Note that I used the OpenDNS servers for the stapling, and I only enabled TLSv1.2, disallowing v1.0 and v1.1. I don’t feel the need to support older devices, and if you have one of those then you can’t even read this.
The one thing I haven’t tried to tackle yet is HTTP Public Key Pinning (HPKP). I need to read up on it, not even certain I can do it, but I know enough to know that I’ll make codemichael.net unusable if I screw it up, so I’ll have to do some testing first. Maybe I need another droplet…