Webserver and SSL settings
University allows you to get free
certificate from the TERENA certification authority . You can apply for it yourself, or if you would like help getting it, please contact
unixyjSmMk9Wh@fiPiIzQnjho.munivSKjHGro9.cz . Alternatively, you can also use a certification authority
Let's Encrypt , either by yourself or you can take advantage of
issuing LE certificates via unix @ fi .
In addition to HTTPS deployment itself, it is important to verify that the configuration is reasonably secure. The following tools can be used to test the configuration:
The best way is to use the configuration generator that you can find at https://wiki.mozilla.org/Security/Server_Side_TLS . This tool will generate a configuration according to current cryptographic / security recommendations.
It is recommended to test the applied configuration via Qualys (see above). You should target Qualys Score A- or A. However, for scores starting with A , the risk that some older clients may not support sufficiently new and secure ciphers should be considered.
HTTP Strict Transport Security (HSTS)
Especially if you are creating a new site, we recommend that you set up HTTP redirect to HTTPS straight away and use the HTTP HSTS header to ensure that the browser always accesses the site over HTTPS for a certain period of time.
If Apache webserver is used, the configuration would be as follows:
<VirtualHost fqdn.fi.muni.cz:80> ... Redirect permanent / https://fqdn.fi.muni.cz/ </VirtualHost> <VirtualHost fqdn.fi.muni.cz:443> ... # postupne zvysit az na max-age=15552000 Header always set Strict-Transport-Security "max-age=3600;" </VirtualHost>
The time the browser remembers the need to use HTTPS is determined by the parameter
max-age . For existing sites, due to possible problems, it is a good idea to start with a low value and gradually increase it, such as hour (3600), day (86400), week (604800), month (2592000) and end in six months (15552000).
Other security headers
In addition to HSTS, other security headers can be set (for example
X-Frame-Options , ...). Their list is longer and we will not describe them here.
However, you can use the tool to review and test your deployment Security Headers .