Web server and HTTPS settings
CESNET allows you to get it for free
certificate from the Sectigo certification authority . You can apply for it yourself, or if you would like advice on obtaining it, please contact
unix4-bLmEuLY@fi_3l5l0Iv4.muniSKOzfhJAS.cz . Alternatively, you can use a certification authority
Let's Encrypt , either on your own or you can use
issuing LE certificates via unix @ fi .
In addition to the actual implementation of HTTPS, it is important to verify that the configuration is reasonably secure. The following tools can be used to test the configuration:
The best way is to use the configuration generator that you will find at https://wiki.mozilla.org/Security/Server_Side_TLS . This tool will generate a configuration according to the current cryptographic / security recommendations.
We recommend testing the applied configuration, for example via Qualys (see above). You should target Qualys Score A- or A. However, for scores starting with A , the risk that some older clients may not support sufficiently new and secure ciphers should be considered.
HTTP Strict Transport Security - HSTS
Especially if you are creating a new website, we recommend setting HTTP redirection directly to HTTPS and using the HTTP header HSTS, which will ensure that the browser will always access this website only via HTTPS for a certain period of time.
If you were using the Apache web server, the configuration would be as follows:
<VirtualHost fqdn.fi.muni.cz:80> ... Redirect permanent / https://fqdn.fi.muni.cz/ </VirtualHost> <VirtualHost fqdn.fi.muni.cz:443> ... # postupne zvysit az na max-age=15552000 Header always set Strict-Transport-Security "max-age=3600;" </VirtualHost>
The time for which the browser remembers the need to use HTTPS is determined by the parameter
max-age . For existing sites, it's a good idea to start with a low value and gradually increase it, such as an hour (3600), a day (86400), a week (604800), a month (2592000), and end at half a year (15552000).
Additional security headers
In addition to HSTS, other security headers can be set (for example,
X-Frame-Options , ...). Their list is longer and we will not describe them here.
However, you can use the tool to review and deploy them Security Headers .