translated by Google

Machine-translated page for increased accessibility for English questioners.

Web server and SSL settings

CESNET allows you to get it for free certificate from the Sectigo certification authority . You can apply for it yourself, or if you would like advice on obtaining it, please contact unix@fi.muni.cz . Alternatively, you can use a certification authority Let's Encrypt , either on your own or you can use issuing LE certificates via unix @ fi .

In addition to the actual implementation of HTTPS, it is important to verify that the configuration is reasonably secure. The following tools can be used to test the configuration:

SSL parameters

The best way is to use the configuration generator that you will find at https://wiki.mozilla.org/Security/Server_Side_TLS . This tool will generate a configuration according to the current cryptographic / security recommendations.

We recommend testing the applied configuration, for example via Qualys (see above). You should target Qualys Score A- or A. However, for scores starting with A , the risk that some older clients may not support sufficiently new and secure ciphers should be considered.

HTTP Strict Transport Security - HSTS

Especially if you are creating a new website, we recommend setting HTTP redirection directly to HTTPS and using the HTTP header HSTS, which will ensure that the browser will always access this website only via HTTPS for a certain period of time.

If you were using the Apache web server, the configuration would be as follows:

<VirtualHost fqdn.fi.muni.cz:80>
    ...
    Redirect permanent / https://fqdn.fi.muni.cz/
</VirtualHost>

<VirtualHost fqdn.fi.muni.cz:443>
    ...
    # postupne zvysit az na max-age=15552000
    Header always set Strict-Transport-Security "max-age=3600;"
</VirtualHost>

The time for which the browser remembers the need to use HTTPS is determined by the parameter max-age . For existing sites, it's a good idea to start with a low value and gradually increase it, such as an hour (3600), a day (86400), a week (604800), a month (2592000), and end a semester (15552000).

Additional security headers

In addition to HSTS, other security headers can be set (for example, Content-Security-Policy , X-Frame-Options , ...). Their list is longer and we will not describe them here.

However, you can use the tool to review and deploy them Security Headers .