SSL/TLS: Practical Tips
Strong defaults reduce attack surface and surprises during renewals.
Protocol & ciphers
- Disable legacy protocols (SSLv3/TLS1.0/1.1); use TLS1.2+.
- Prefer modern cipher suites; enable forward secrecy.
Hardening
- Enable OCSP stapling; serve full certificate chain.
- HSTS with preload (after careful testing).
- Automate renewals and monitor expiry.