
How to get A+ rating with your SSL (Nginx Edition) - keydutch
https://dev.hummdis.com/projects/dev-null/2019/get-an-a-rating-with-your-ssl-nginx-edition/
======
Avamander
I find the guide quite bad because:

1\. It manually specifies ciphers - it's a bad idea because it requires
constant maintenance, use `HIGH:MEDIUM:!LOW` (or `HIGH:!MEDIUM:!LOW`) instead
because I heavily doubt you need NIST/HIPAA or whatever compliance.

Just make sure you update both nginx and openssl (Debian/Ubuntu has
`unattended-upgrades` for example) when you have automatic cipher selection
enabled.

2\. It conflates browser TLS guideline headers and just browser security
headers - only `Expect-CT`, `Expect-Staple` from those (applied by the
.htaccess file) all are actually TLS-related

3\. It forgot to explain pretty much all of the headers it suggests you to
slap on - for example `Strict-Transport-Security` and what it does

4\. Doesn't mention how even TLS-related headers can break your site. Doesn't
mention how rest of the headers can break your site - don't slap them on your
stuff blindly!

5\. Modifies every cookie to httponly - this __will __break things (javascript
cookie access for example) and you should configure your application to do
this

6\. .htaccess is not really the nginx way of adding headers

7\. The comment in the .htaccess code block about apache/nginx adding any
headers (by-default) is wrong - if it requires a prequel tutorial then it
should be better mentioned

8\. Doesn't talk about using DNS CAA record - which it should if your goal is
secure TLS

Just... don't follow this guide. Configure TLS and browser security
separately, use
[https://ssllabs.com/ssltest/analyze.html](https://ssllabs.com/ssltest/analyze.html)
to test your TLS configuration and
[https://securityheaders.io](https://securityheaders.io) for browser security
headers.

