1) Use a strong cipher suite:
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES:DHE-RSA-AES:RSA-AES256-GCM-SHA512:RSA-AES256-SHA256:RSA-AES128-GCM-SHA256:RSA-AES128-SHA256;
2) Use a strong SSL/TLS protocol:
ssl_protocols TLSv1.2 TLSv1.3;
3) Use a strong key exchange algorithm:
ssl_dhparam dhparam.pem;
4) Use a strong message authentication code (MAC):
ssl_prefer_server_ciphers on;
5) Set a reasonable security level:
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
6) Use a strong Diffie-Hellman group:
ssl_ecdh_curve prime256v1:secp384r1;
7) Use only safe renegotiation:
ssl_stapling on;
ssl_stapling_verify on;
8) Use only secure protocols and ciphers:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
9) Use only secure protocols:
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES:DHE-RSA-AES:RSA-AES256-GCM-SHA512:RSA-AES256-SHA256:RSA-AES128-GCM-SHA256:RSA-AES128-SHA256;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
10) Use only secure ciphers:
ssl_ecdh_curve prime256v1:secp384r1;
11) Use only secure renegotiation:
ssl_stapling on;
ssl_stapling_verify on;
12) Use only secure protocols and ciphers:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
Top comments (0)