After setting up codemichael.net I’ve been doing some tweaking here and there; one of the things I wanted to do was get an A+ rating from SSL Labs . Turns out it’s pretty easy to do if you’ve only got Nginx as your only front end.
I was looking at enabling http/2 and I stumbled upon a very useful guide on Digital Ocean that included some security benefits. It specifically mentions at the bottom that if you do configuration right you’ll end up with and A+, but I ended up tweaking a couple of extra items based on the recommendations on the cipherli.st .
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 208.67.222.222 208.67.220.220 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
Note that I used the OpenDNS servers for the stapling, and I only enabled TLSv1.2, disallowing v1.0 and v1.1. I don’t feel the need to support older devices, and if you have one of those then you can’t even read this.
The one thing I haven’t tried to tackle yet is HTTP Public Key Pinning (HPKP). I need to read up on it, not even certain I can do it, but I know enough to know that I’ll make codemichael.net unusable if I screw it up, so I’ll have to do some testing first. Maybe I need another droplet…