SSL/Cert [cli]
4096-bit private keys
openssl genrsa -out domain.com.key 4096
certbot certonly -d domain.com --rsa-key-size 4096
Key exchange
openssl dhparam -dsaparam -out /etc/nginx/dh.pem 4096
NGINX configuration
Hide NGINX version number
server_tokens off;
TLS 1.2 (+TLS 1.3)
ssl_protocols TLSv1.2;
ECDH curve
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
SSL ciphers
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
Key exchange
ssl_dhparam /etc/nginx/dh.pem;
BEAST attack
ssl_prefer_server_ciphers on;
HTTP Strict Transport Security
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
Content-Security-Policy
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; content-src 'self'; img-src 'self'; style-src 'self';" always;
Referrer-Policy
add_header Referrer-Policy "no-referrer";
Clickjacking protection
add_header X-Frame-Options "SAMEORIGIN" always;
X-XSS-Protection
add_header X-XSS-Protection "1; mode=block" always;
X-Content-Type-Options
add_header X-Content-Type-Options "nosniff" always;
SEE ALSO