Translated using DeepL

Machine-translated page for increased accessibility for English questioners.

Webserver and HTTPS settings

CESNET allows you to obtain a free certificate from the Sectigo Certificate Authority. You can apply for one yourself (the CVT manager must then confirm their issuance), or if you would like advice on obtaining one, please contact unix@fi.muni.cz. Alternatively, you can use Let's Encrypt, either on your own or by issuing LE certificates via unix@fi.

In addition to implementing HTTPS itself, it is important to verify that the configuration is reasonably secure. For example, Qualys ( https only) or testssl.sh (bash script over OpenSSL) can be used to test the configuration.

TLS parameters

We recommend using Mozilla's configuration generator, which takes into account current security recommendations.

We recommend to test the applied configuration, for example via Qualys (see above). You should aim for a Qualys Score of A- or A. However, for scores starting with A, consider the risk that some older clients may not support sufficiently new and secure ciphers.

HTTP Strict Transport Security - HSTS

First of all, if you're creating a new website, we recommend setting up HTTP redirection to HTTPS right away and using the HSTS HTTP header to ensure that the browser will (for a certain amount of time that it has to remember this) only ever access that site over HTTPS.

If using the Apache webserver, the configuration would be as follows:

<VirtualHost fqdn.fi.muni.cz:80>
    ...
    Redirect permanent / https://fqdn.fi.muni.cz/
</VirtualHost>

<VirtualHost fqdn.fi.muni.cz:443>
    ...
    # postupne zvysit az na max-age=15552000
    Header always set Strict-Transport-Security "max-age=3600;"
</VirtualHost>

The period of time that the browser remembers to use HTTPS is determined by the max-age parameter. For existing sites, it is a good idea to start with a low value and gradually increase it, for example, an hour (3600), a day (86400), a week (604800), a month (2592000), and ending at half a year (15552000) because of potential problems.

Other security headers

In addition to HSTS, other security headers can be set (for example Content-Security-Policy, X-Frame-Options, ...). Their list is longer and will not be described here.

However, you can use the Security Headers tool to review them and test your deployment.