Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
a8ae2f4a56baf78845c041c833946d00
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua
5e1e4087285a6c7c7d503332b14c5bf7
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
a8ae2f4a56baf78845c041c833946d00
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
ssl.use-sslv2 = "disable" ...
ssl_protocols TLSv1.2 TLSv1.3;
SSLProtocol +TLSv1.2 +TLSv1.3
!TLSv1.1 !TLSv1.0 !TLSv1 !SSLv2 !SSLv3
TLS
_ECDHE
_RSA
_AES_128_CBC
_SHA256
ECDHE-RSA-AES128-SHA256
Forward Secrecy
ephemeral
static
Key Strength
Session Resumption
session id
session ticket
Diffie–Hellman
(DH)
Rivest–Shamir–Adleman
(RSA)
Elliptic-curve
Diffie–Hellman
(ECDH)
Elliptic-curve
Diffie–Hellman Ephemeral
(ECDHE)
Diffie-Hellman Ephemeral
(DHE)
Block Cipher
secure
insecure
unused
Block Cipher Mode
Rivest Cipher 4
(ARCFOUR/RC4)
ChaCha
(ChaCha20)
Block Size of 64 bits
(DES, 3DES, GHOST, IDEA, RC2)
Advanced Encryption Standard
(AES128, AES256)
CBC mode only
(SEED)
Far East
(ARIA, Camellia)
Cipher Block Chaining
(CBC)
Galois/Counter Mode
(GCM)
Counter with CBC-MAC
(CCM/CCM-8)
MAC types
HMAC
UMAC
MAC algorithms
Message-Digest Algorithm 5
(MD5)
Poly1305
(POLY1305)
Secure Hash Algorithm 2
(SHA256, SHA384)
Secure Hash Algorithm 1
(SHA-1)
Message-Digest Algorithm 5
(MD5)
Poly1305
(POLY1305)
Secure Hash Algorithm 2
(SHA256, SHA384)
Secure Hash Algorithm 1
(SHA-1)
cipher suites
explicit list
list operations
cipher preference
ssl.cipher-list = "CipherSuiteString"
ssl_ciphers CipherSuiteString
SSLCipherSuite CipherSuiteString
HIGH:!PSK:!SRP:!aNULL:!aDSS:!kRSA:!ARIA:!CAMELLIA:!SHA:!AESCCM
honor-cipher-order = "enable"
ssl_prefer_server_ciphers On;
SSLHonorCipherOrder On
Always On
Certificate Revocation List
Online Certificate Status Protocol
Responders
Stapling
Certificate validity period
Location
CRL
✗
Access
Size
✗
✗
OCSP
✗
✗
✓
Privacy
✗
✓
OCSP Stapling
✓
✓
✓
✓
Full Chain
✗
✓
✓
OCSP Multi Stapling
✓
✓
✓
✓
✓
?
Support
✓
✓
✓
Hack proof
✗
✗
✗
✗
-
ssl_stapling on;
SSLUseStapling on
Should Be On
Key Exchange
Session Resumption
Revocation Check
Performance
Support
Diffie–Hellman
(DH)
Rivest–Shamir–Adleman
(RSA)
Elliptic-curve
Diffie–Hellman
(ECDH)
Elliptic-curve
Diffie–Hellman Ephemeral
(ECDHE)
Diffie-Hellman Ephemeral
(DHE)
anonymous
(NULL)
Rivest–Shamir–Adleman
(RSA)
Elliptic Curve
Digital Signature Algorithm
(ECDSA)
Digital Signature Algorithm
(DSA)
Edwards-Curve
Digital Signature Algorithm
(EdDSA)
Rivest Cipher 4
(ARCFOUR/RC4)
ChaCha
(ChaCha20)
Block Size of 64 bits
(DES, 3DES, GHOST, IDEA, RC2)
Advanced Encryption Standard
(AES128, AES256)
CBC mode only
(SEED)
Far East
(ARIA, Camellia)
Cipher Block Chaining
(CBC)
Galois/Counter Mode
(GCM)
Counter with CBC-MAC
(CCM/CCM-8)
Message-Digest Algorithm 5
(MD5)
Poly1305
(POLY1305)
Secure Hash Algorithm 2
(SHA256, SHA384)
Secure Hash Algorithm 1
(SHA-1)
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_AES_128_CCM_SHA256
TLS_AES_128_CCM_8_SHA256
TLS_CHACHA20_POLY1305_SHA256
Certificate Revocation List
Online Certificate Status Protocol
Responders
Stapling
session resumption
(session id)
session resumption without server-side state
(session ticket)
static pre-shared-key
(PSK_KE)
ephemeral pre-shared-key
(PSK_DHE_KE)
Handshake
Resumption
Application layer
Most popular
(Chrome/Chromium, Firefox)
Less popular
(Apple, Edge)
Most popular
(Apache, NGINX)
Less popular
(IIS, Lighty)
Most popular
(Cloudflare, KeyCDN)
Most popular
(OpenSSL, GnuTLS)
Less popular
(Boring SSL, Fizz)
Automatic Redirection to HTTPS
Security Headers
Automatic Redirect to HTTPS
Public Key Pinning
Defense against
Clickjacking
Content Injection Attacks
Cross-site scripting
setenv.add-response-header=("Strict-Transport-Security"=>"Value")
add_header Strict-Transport-Security 'Value' always;
Header always set Strict-Transport-Security "Value"
max-age=63072000; includeSubdomains;
preload
setenv.add-response-header=("Public-Key-Pins"=>"Value")
add_header Public-Key-Pins 'Value' always;
Header always set Public-Key-Pins "Value"
pin-sha256="GRAH5Ex+kB4cCQi5gMU82urf...";
report-uri="https://example.com/report/hpkp";
max-age=15768000;
includeSubDomains
setenv.add-response-header=("Expect-Staple"=>"Value")
add_header Expect-Staple 'Value' always;
Header always set Expect-Staple "Value"
max-age=31536000;
report-uri="https://example.com/report/staple";
includeSubDomains;
preload
setenv.add-response-header=("Expect-Staple"=>"Value")
add_header Expect-Staple 'Value' always;
Header always set Expect-Staple "Value"
max-age=31536000;
report-uri="https://example.com/report/staple";
enforce
setenv.add-response-header=("X-Frame-Options"=>"Value")
add_header X-Frame-Options "Value" always;
Header always set X-Frame-Options "Value"
deny/sameorigin
setenv.add-response-header=("X-XSS-Protection"=>"Value")
add_header X-XSS-Protection "Value" always;
Header always set X-XSS-Protection "Value"
X-XSS-Protection: 1; mode=block
setenv.add-response-header=("Feature-Policy"=>"Value")
add_header Feature-Policy "Value" always;
Header always set Feature-Policy "Value"
microphone 'none';
geolocation ''*'';
payment 'self';
...
setenv.add-response-header=("Content-Security-Policy"=>"Value")
add_header Content-Security-Policy "Value" always;
Header always set Content-Security-Policy "Value"
default-src https://same.domain:443
Online checkers
Offline checkers
Transport Layer Security
Security Headers