Hi there, today I'm going to show you how to get an A+ on SSL Labs.
Note: This tutorial is only usable with Caddy Server.
The DNS CAA
The DNS CAA (or DNS Certification Authority Authorization) is a security mechanism that allows you to mark certain certificate authorities as trusted.
For instance, if you are using Let's Encrypt certificates, you would have to allow letsencrypt.org
to make valid certificates for your domains.
To add this verification level, you must add a CAA record to your domain's DNS.
In text only, the record looks like: your.domain. CAA 0 issue "letsencrypt.org"
Headers
To get the A+ score, you need to set up some headers as shown below:
header {
X-Frame-Options "Deny"
Content-Security-Policy "
default-src 'none';
style-src 'self';
script-src 'self';
font-src 'self';
img-src data: 'self';
form-action 'self';
connect-src 'self';
frame-ancestors 'none';
base-uri 'self';
report-uri {$CSP_REPORT_URI}
"
X-Content-Type-Options "nosniff"
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
}
Let's see what all of this stuff does shall we?
-
X-Frame-Options "Deny"
disallows other pages or websites to add embeds, frames, iframes and objects referencing your domain. Alternatively ofDeny
, you can set it toSAMEORIGIN
so you can use it on your website. -
X-Content-Type-Options "nosniff"
is used to prevent MIME Sniffing -
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
is forcing your domain to have a valid HTTPS certificate for the time period specified by themax-age
parameter (one year in our case). If the HTTPS certificate is not present, the browser will display an error. TheincludeSubDomains
directive is used so the STS is applied to all subdomains as well. -
Content-Security-Policy
is a wide range of policies to allow or not distant domains to load resources (such as CSS or JavaScript files). The provided configuration only allows for the current domain to load files which can be problematic in some use cases. To allow a domain to load resources, just add it after theself
. E.G:style-src 'self' CDN.domain.TLD;
Word of the end
Congrats!
You should be ready now. The only thing to do left is to test your settings using a tool like SSL Labs.
Top comments (0)