Search the Community
Showing results for tags 'webserver'.
A website with security-aware topics should really be a good example. In your case it is only good, but does not use security features, which it should use or which it might use as a site about encryption. So the SSL config is okay, but there are a few things to mention: You're missing the HSTS header. When you add it you'll get an A+ on SSLLabs. You're sending the root cert, which is unnecessary. You're not sending an intermediate certificate, which is neccessary. Currently this can cause connection failures. OCSP stapling would be a nice thing to add. Additionally you should really add some security headers and please consider using HPKP and CSP.