I recently got a shiny new 2048 bit SSL Certificate for onebytetoomany.co.uk (even Facebook is still on the now considered insecure 1024 bit cert at the time of writing). I’m in the process of getting an extended validation (EV) certificate but in the meantime I had the task of hardening our nginx server to include the following:-
- Up to date SSL Protocol (TLS1.1 & 1.2 support)
- A decent cipher order of preference with protection from the BEAST attack & currently considered best practices.
- Support for PFS (Perfect) Forward Secrecy
- HSTS (Strict Transport Security) Support
- Hardening against Iframe injection.
Here’s the result:
You will need the following prerequisites installed:-
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
# Enable HSTS;
add_header Strict-Transport-Security max-age=31536000;
# Iframe prevention
add_header X-Frame-Options DENY;
The cipher priorities might change as there is much discussion about RC4 being old but apparently it is the best we have right now.
If you want to hear all about Strict Transport Security I suggest listening to Steve Gibson :)