Getting a perfect score at SSL Labs

Fastidious · March 23, 2017, 11:11pm

How will this block be exactly translated into Cadyfile?

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam ssl/dhparam.pem;
ssl_ecdh_curve secp384r1;

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

matt · March 23, 2017, 11:14pm

I am busy at the moment but wanted to point you in the right direction at least: https://caddyserver.com/docs/tls and https://caddyserver.com/docs/header will be the two directives you want.

Note that ssl_stapling and ssl_stapling_verify and ssl_dhparam and ssl_prefer_server_ciphers will not be relevant when configuring Caddy. Neither will ssl_session_cache or ssl_session_timeout.

Fastidious · May 10, 2017, 7:52pm

Answering to myself, and for the records, this got me fairly close:

        header / {
                Strict-Transport-Security "max-age=31536000"
                X-XSS-Protection "1; mode=block"
                X-Content-Type-Options "nosniff"
                X-Frame-Options "DENY"
                -Server
        }
        tls {
                key_type rsa4096
                protocols tls1.2
                must_staple
        }

system · August 8, 2017, 8:02pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.