Hardening TLS (Disabling Weak Ciphers, HSTS, HPKP)

#Closing the Gaps: The Hardened Configuration#link

Simply installing a certificate is not enough. To be truly secure, you must configure your server to refuse any connection that doesn't meet a high security threshold. This process involves stripping away legacy support and forcing the client to adopt the strongest possible settings.

The 'Strong' Cipher Selection

Hardening starts with a whitelist approach. Instead of 'disabling bad ciphers', you define a short list of 'known good' ciphers. For TLS 1.2, this means only allowing GCM or Poly1305 and requiring ECDHE for key exchange.

# Example Nginx Hardened Config
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;

By setting `ssl_prefer_server_ciphers on`, you ensure the server's security preference takes precedence over the client's, preventing the client from requesting a weaker cipher it might support.

HSTS: Eliminating the HTTP Fallback

HTTP Strict Transport Security (HSTS) is a header that tells the browser: 'For the next X months, never even attempt to connect to me via HTTP. Automatically convert all requests to HTTPS.' This prevents 'SSL Stripping' attacks where a MitM forces a user to an unencrypted version of the site.

HPKP and the Shift to Certificate Transparency

HTTP Public Key Pinning (HPKP) allowed a site to tell the browser: 'Only trust certificates that use these specific public keys.' While powerful, it was too dangerous (a single mistake could brick a site for all users), and it has been deprecated. It was replaced by Certificate Transparency (CT) and CAA records.

• ▪Enforce HSTS with 'preload' for maximum security
• ▪Disable all CBC and RC4 ciphers
• ▪Use a 2048-bit minimum for DH parameters
• ▪Implement CAA records in DNS to restrict which CAs can issue certificates