Getting my SSL Labs A+


After setting up I’ve been doing some tweaking here and there; one of the things I wanted to do was get an A+ rating from SSL Labs. Turns out it’s pretty easy to do if you’ve only got Nginx as your only front end.

I was looking at enabling http/2 and I stumbled upon a very useful guide on Digital Ocean that included some security benefits. It specifically mentions at the bottom that if you do configuration right you’ll end up with and A+, but I ended up tweaking a couple of extra items based on the recommendations on the

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

Note that I used the OpenDNS servers for the stapling, and I only enabled TLSv1.2, disallowing v1.0 and v1.1. I don’t feel the need to support older devices, and if you have one of those then you can’t even read this.

The one thing I haven’t tried to tackle yet is HTTP Public Key Pinning (HPKP). I need to read up on it, not even certain I can do it, but I know enough to know that I’ll make unusable if I screw it up, so I’ll have to do some testing first. Maybe I need another droplet…


Demoing VR

Kingdom Death: Monster