translated by Google

Machine-translated page for increased accessibility for English questioners.

Web server and HTTPS settings

CESNET allows you to get for free certificate from the Sectigo certification authority . You can apply for it yourself, or if you would like advice on obtaining it, please contact . Alternatively, you can use a certification authority Let's Encrypt , either on your own or you can use issuing LE certificates via unix @ fi .

In addition to the actual implementation of HTTPS, it is important to verify that the configuration is reasonably secure. For example, you can use it to test the configuration Qualys (only https ) or (bash script over OpenSSL).

TLS parameters

We recommend using a configuration generator from Mozilla which takes into account current safety recommendations.

We recommend testing the applied configuration, for example via Qualys (see above). You should target Qualys Score A- or A. However, for scores starting with A , the risk that some older clients may not support sufficiently new and secure ciphers should be considered.

HTTP Strict Transport Security - HSTS

Especially if you are creating a new website, we recommend setting HTTP redirection directly to HTTPS and using the HSTS HTTP header, which will ensure that the browser will (for a certain period of time this should be remembered) always access this website via HTTPS.

If you were using the Apache web server, the configuration would be as follows:

    Redirect permanent /

    # postupne zvysit az na max-age=15552000
    Header always set Strict-Transport-Security "max-age=3600;"

The time the browser remembers the need to use HTTPS is determined by the parameter max-age . For existing sites, it's a good idea to start with a low value and gradually increase it, such as hour (3600), day (86400), week (604800), month (2592000), and end at half-yearly (15552000).

Additional security headers

In addition to HSTS, other security headers can be set (for example, Content-Security-Policy , X-Frame-Options , ...). Their list is longer and we will not describe them here.

However, you can use the tool to review and deploy them Security Headers .