A+ on SSL Labs

SSL/Cert [cli]

• 4096-bit private keys

  openssl genrsa -out domain.com.key 4096 certbot certonly -d domain.com --rsa-key-size 4096

• Key exchange

  openssl dhparam -dsaparam -out /etc/nginx/dh.pem 4096

NGINX configuration

• Hide NGINX version number

  server_tokens off;

• TLS 1.2 (+TLS 1.3)

  ssl_protocols TLSv1.2;

• ECDH curve

  ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;

• SSL ciphers

  ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";

• Key exchange

  ssl_dhparam /etc/nginx/dh.pem;

• BEAST attack

  ssl_prefer_server_ciphers on;

• HTTP Strict Transport Security

  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;

• Content-Security-Policy

  add_header Content-Security-Policy "default-src 'none'; script-src 'self'; content-src 'self'; img-src 'self'; style-src 'self';" always;

• Referrer-Policy

  add_header Referrer-Policy "no-referrer";

• Clickjacking protection

  add_header X-Frame-Options "SAMEORIGIN" always;

• X-XSS-Protection

  add_header X-XSS-Protection "1; mode=block" always;

• X-Content-Type-Options

  add_header X-Content-Type-Options "nosniff" always;

SEE ALSO

<https://www.prillwitz.io/>

<www.prillwitz.io on ssllabs>

<disclaimer/imprint>