At the very least modern websites should be using HTTPS by default with any traffic on HTTP redirected to HTTPS, this ensures traffic in transit is encrypted from 3rd parties prying eyes. The next step is ensuring that the SSL certificate along with the web server it sits on is configured correctly from a security perspective ensuring any well known backdoors are addressed.

The Qualys SSL Server tool is an excellent free tool that grades the quality of your SSL configuration that also identifies any areas that need to be addressed.

Qualys SSL Checker Tool

The Qualys SSL tool is here

To run the tool simply enter your domain and tick the "Do not show the results on the boards" then submit

Allow 5 minutes for the tool to be ran and the results to be returned

As you can see from the results above, the site grade has been capped to a B because the server does support Forward Secrecy with the reference browsers, further information is available here;

Tighten up the security

SSH to your apache web server and edit the ssl.conf file (This file could also be located at /etc/httpd/conf.d/ssl.conf)

sudo vi /etc/apache2/mods-enabled/ssl.conf

Edit the following lines so that SSL and TLSv1 and TLSv1.1 are disabled;

SSLProtocol         -SSLv3 -TLSv1 -TLSv1.1

Update the following lines to enable Forward Secrecy

SSLHonorCipherOrder on


Restart Apache

sudo service apache2 restart

Verify the site is still accessible on HTTPS

Click Clear Cache which will rerun the Qualys SSL checker and should hopefully have now upgraded your grade to an A (Unless other issues exist with your configuration)

This looks a lot healthier but to get A+ you need to enable HTTP Strict Transport Security (HSTS) which means that when a compatible HSTS browser contacts a HSTS enabled web server, it looks for a special HTTP header. This header states that the web client should only ever talk to the server over a HTTPS connection and a max age is also configured to state the site should only be accessed over HTTPS for at least that time.

**Please ensure your full site works purely on HTTPS before proceeding with enabling this**

To configure this;

Enable the apache headers module

sudo a2enmod headers

Edit the virtual host configuration file

sudo vi /etc/apache2/sites-enabled/000-default.conf

Update the virtual host settings, i would suggest testing the max-age very low (i.e. an hour) in case of HTTPS configuration issues but for production this is set to a minimum of 6 months to a year, the example below sets it for 6 months

<VirtualHost *:443>
Header always set Strict-Transport-Security "max-age=15780000; includeSubDomains"

Run a apache configration test before restarting

sudo apachectl configtest

If Synatax is ok, restart apache

sudo service apache2 restart

Verify the site and image are all still accessible on HTTPS

Click Clear Cache which will rerun the Qualys SSL checker and should hopefully have now upgraded your configuration grade to an A+