Sane defaults reduce attack surface and renewal surprises.
- Disable legacy protocols
Use TLS 1.2+ (ideally TLS 1.3); disable SSLv3/TLS 1.0/1.1.
Check: curl -I --tlsv1.0 https://domain.tld should fail; confirm with an external scan (e.g., SSL Labs).
- Modern cipher suites and Forward Secrecy
Prefer TLS 1.3 defaults; remove weak/obsolete suites; ensure Perfect Forward Secrecy (PFS).
Check: nmap --script ssl-enum-ciphers -p 443 domain.tld (no RC4/3DES; TLS 1.3 suites visible).
- OCSP stapling + full certificate chain
Serve the complete chain in the right order and enable stapling.
Check: openssl s_client -status -showcerts -connect domain.tld:443 | openssl x509 -noout -issuer -subject (stapling status present; chain complete).
- HSTS with preload (after testing)
Header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Check: verify the header; validate at hstspreload.org / securityheaders.com.
- Automate renewals and monitor expiry
Use ACME (Let’s Encrypt etc.) with auto-renew; alerts on failure/expiry.
Check: echo | openssl s_client -servername domain.tld -connect domain.tld:443 2>/dev/null | openssl x509 -noout -enddate