Best TLS Settings in WHM

[rivermobster]

Does this look like something I should actually do?

How to Configure the Best TLS Settings in WHM: From A to A+

Keeping your website secure and your server encrypted during these times is crucial. Read our blog post to find out how to configure the optimal SSL/TLS encryption settings in WHM.

bigstep.com

Paste these three lines in the editor, then click on Update:

Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header always set X-XSS-Protection "1; mode=block;"
Header always set X-Content-Type-Options "nosniff"


I have an A rating here now: SSL Server Test (Powered by Qualys SSL Labs)

Thanks in advance for the help!

 

[rbairwell]

Hi,

Most of those settings are those suggested by the Mozilla SSL Configuration Generator for an "Intermediate" security setting: however, I would only advise setting those header lines in the main Apache configuration (as that article suggests) if you are happy for those settings to be on every single website hosted on the server.

If not, I would personally put those lines in the .htaccess file for each site: giving the site owners control of what is emitted for their site.

For the record, I'm getting A+ ratings for mine with the following settings:
Apache Configuration->Global Configuration
SSL Cipher Suite: (default)
SSL/TLS Protocols: default
SSL Use stapling: On

and in the .htaccess files:

<IfModule mod_headers.c>
Header unset X-Pingback
Header set X-XSS-Protection "1;mode=block;report=https://reporting-system.example.com/r/d/csp/enforce"
Header set Permissions-Policy "interest-cohort=()"
Header set X-Frame-Options "DENY"
Header set X-Content-Type-Options "nosniff"
Header set Cross-Origin-Resource-Policy "same-origin; report-to='default';"
Header set Referrer-Policy "no-referrer,same-origin,strict-origin-when-cross-origin"
Header set Cross-Origin-Embedder-Policy "require-corp; report-to='default';"
Header set Cross-Origin-Opener-Policy "same-origin; report-to='default';"
Header set Content-Security-Policy "script-src 'self unsafe-eval unsafe-inline'; script-src-elem 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline'; style-src-attr 'unsafe-inline'; img-src  'self unsafe-inline'; font-src 'self unsafe-inline'; worker-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; base-uri https://example.com:443/; manifest-src 'self'; report-uri https://reporting-system.example.com/r/d/csp/wizard"
Header set NEL '{"report_to":"default","max_age":31536000,"include_subdomains":true,"success-fraction":0.5,"failure_fraction":1.0}'
Header set Report-To '{"group":"default","max_age":31536000,"endpoints":[{"url":"https://reporting-system.example.com/a/d/g"}],"include_subdomains":true}'
Header set Reporting-Endpoints 'default="https://reporting-system.example.com/a/d/g"'
Header always set Expect-CT 'max-age=43200, enforce, report-uri="https://reporting-system.example.com/r/d/ct/enforce"'
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header unset Public-Key-Pins
Header unset X-Powered-By
Header always unset X-Powered-By
ServerSignature Off
</IfModule>

(based off Cloudflare's examples, suggestions by SecurityHeaders (where the site is rated A+) and Report-URI (which I use for reporting) )

I also ensured the site is listed on the HSTS Preload service. I've also got a 100% rating on Internet.nl's Test your website service.

Normally I check things like this via the Mozilla Observatory , but that appears currently broken (and has been for the last couple of days)