SSL Security Checks
You've obtained an SSL certificate for your web site and now all your visitors see a comforting green padlock in their browser. Whew! You've taken a big step forward in the security of your site, but you may want to take a few more little steps.
Strict Transport Security
Once you configure your SSL certificate, you will likely want to configure your web server to redirect any http traffic to the equivalent https URL. This allows someone who simply types your domain name into their browser to connect with the secured site. However, that initial connection still allows a small window for someone to hijack the client's connnection.
To help avoid this potential scenario, you should configure
your web server to use
HTTP Strict Transport Security.
HSTS is enforced on the web server by sending a
Strict-Transport-Security
response
header to the client. Compatible clients will then send all
future requests to your domain using the HTTPS protocol, even
if the user doesn't explicitly include the protocol when typing
in your domain name.
If you're using nginx for your web server, configuring HSTS is as simple as adding a line to the HTTPS server configuration for your site.
server { listen 443 ssl http2; listen [::]:443 ssl http2; ... add_header Strict-Transport-Security max-age=15768000; }
CAA Records
In order to prevent unauthorized Certificate Authorities from issuing certificates for your domain, you can configure a Certificate Authority Authorization (CAA) record in the DNS records for your domain. The CAA record indicates which CAs have permissions to issue certificates and provides a way for CAs to report unauthorized requests for certificates. Using CAA records helps prevent a compromised CA from issuing certificates for your domain.
CAA Record Helper is a tool provided by SSL Mate that will help you generate the correct records for your DNS settings. You will merely need to copy and paste their recommended settings into your DNS settings for a CAA record.
Avoid Insecure Protocols
Even if your site is using a security certificate, it's possible you're still using older security protocols that are no longer consider secure. There are security issues with older versions of the SSL and TLS protocols that you should avoid.
Avoid Insecure Cipher Suites
The SSL and TLS protocols are built using a collection of cipher suites that provide cryptographic security for your site's communications. There are several obsolete suites you will want to avoid, primarily relying on the AEAD suites.
Scanning Tools
To assist in maintaining a secure site, even once you have installed a security certificate, you can use an online tool that will scan your site and identify potential vulnerabilities. SSL Labs Server Test will perform an analysis of the security settings on your domain and recommend updates to make your domain more secure. The recommendations will identify missing CAA records, along with insecure protocols and cipher suites that may be available on your domain.
Best Practices
SSL Labs maintains a set of SSL and TLS Deployment Best Practices that provide much greater detail on these issues and many others. If you're responsible for web site security, it's definitely worth reviewing.