Web server and HTTPS settings
CESNET allows you to get for free
certificate from the Sectigo certification authority . You can apply for it yourself, or if you would like advice on obtaining it, please contact
unixRV670oPQl@fiTS43Gfvx=.muni_4OmeatDy.cz . Alternatively, you can use a certification authority
Let's Encrypt , either on your own or you can use
issuing LE certificates via unix @ fi .
In addition to the actual implementation of HTTPS, it is important to verify that the configuration is reasonably secure. For example, you can use it to test the configuration
https ) or
testssl.sh (bash script over OpenSSL).
We recommend using a configuration generator from Mozilla which takes into account current safety recommendations.
We recommend testing the applied configuration, for example via Qualys (see above). You should target Qualys Score A- or A. However, for scores starting with A , the risk that some older clients may not support sufficiently new and secure ciphers should be considered.
HTTP Strict Transport Security - HSTS
Especially if you are creating a new website, we recommend setting HTTP redirection directly to HTTPS and using the HSTS HTTP header, which will ensure that the browser will (for a certain period of time this should be remembered) always access this website via HTTPS.
If you were using the Apache web server, the configuration would be as follows:
<VirtualHost fqdn.fi.muni.cz:80> ... Redirect permanent / https://fqdn.fi.muni.cz/ </VirtualHost> <VirtualHost fqdn.fi.muni.cz:443> ... # postupne zvysit az na max-age=15552000 Header always set Strict-Transport-Security "max-age=3600;" </VirtualHost>
The time the browser remembers the need to use HTTPS is determined by the parameter
max-age . For existing sites, it's a good idea to start with a low value and gradually increase it, such as hour (3600), day (86400), week (604800), month (2592000), and end at half-yearly (15552000).
Additional security headers
In addition to HSTS, other security headers can be set (for example,
X-Frame-Options , ...). Their list is longer and we will not describe them here.
However, you can use the tool to review and deploy them Security Headers .