DEV Community

Cover image for Obtaining A+ SSL w/ Caddy
Jae Beojkkoch
Jae Beojkkoch

Posted on

Obtaining A+ SSL w/ Caddy

Hi there, today I'm going to show you how to get an A+ on SSL Labs.

Note: This tutorial is only usable with Caddy Server.

The DNS CAA

The DNS CAA (or DNS Certification Authority Authorization) is a security mechanism that allows you to mark certain certificate authorities as trusted.

For instance, if you are using Let's Encrypt certificates, you would have to allow letsencrypt.org to make valid certificates for your domains.

To add this verification level, you must add a CAA record to your domain's DNS.

Alt Text

In text only, the record looks like: your.domain. CAA 0 issue "letsencrypt.org"

Headers

To get the A+ score, you need to set up some headers as shown below:

header {
    X-Frame-Options "Deny"
    Content-Security-Policy "
        default-src 'none';
        style-src 'self';
        script-src 'self';
        font-src 'self';
        img-src data: 'self';
        form-action 'self';
        connect-src 'self';
        frame-ancestors 'none';
        base-uri 'self';
        report-uri {$CSP_REPORT_URI}
    "
    X-Content-Type-Options "nosniff"
    Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
}
Enter fullscreen mode Exit fullscreen mode

Let's see what all of this stuff does shall we?

  • X-Frame-Options "Deny" disallows other pages or websites to add embeds, frames, iframes and objects referencing your domain. Alternatively of Deny, you can set it to SAMEORIGIN so you can use it on your website.
  • X-Content-Type-Options "nosniff" is used to prevent MIME Sniffing
  • Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" is forcing your domain to have a valid HTTPS certificate for the time period specified by the max-age parameter (one year in our case). If the HTTPS certificate is not present, the browser will display an error. The includeSubDomains directive is used so the STS is applied to all subdomains as well.
  • Content-Security-Policy is a wide range of policies to allow or not distant domains to load resources (such as CSS or JavaScript files). The provided configuration only allows for the current domain to load files which can be problematic in some use cases. To allow a domain to load resources, just add it after the self. E.G: style-src 'self' CDN.domain.TLD;

Word of the end

Congrats!
Alt Text
You should be ready now. The only thing to do left is to test your settings using a tool like SSL Labs.

Top comments (0)