March 16

Secure… for now

So, just finished up getting SSL working on this new site using Let’s Encrypt and certbot. I had to hack /etc/hosts to point back to the internal IP as I was getting hit with hairpinning but once I got that sorted, certbot worked as expected. I had to make a couple manual configuration changes to the apache virtual host file to get the correct certificate files and added the following to enhance security, really disabling insecure cypher suites. Got the A+ at so I am going to go with good for now on that front. Security is an ongoing thing so I will be taking another look at this in the next couple days.

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header set X-Frame-Options DENY
Header set X-Content-Type-Options nosniff