Transport Layer Protection
Last updated
Last updated
This section contains recommendations for implementing protections on the transport layer.
Encrypt all communications between an application and clients from the Internet, such as client-side applications or third-party services.
If you need to listen on unencrypted HTTP connections on port 80, immediately redirect those connections with a permanent redirect (HTTP 301 status code) to port 443 to establish an HTTPS connection.
Do not load mixed content. In other words, do not include in pages accessible via TLS any resources, such as JavaScript or CSS, that are loaded over unencrypted HTTP.
Encryption of all communications including between application components from different subnets.
Use TLS version 1.2+ with all other protocols disabled.
Use only well-known and up-to-date TLS libraries.
Do not use weak TLS Cipher Suites.
If it is necessary to support legacy clients and weak cipher suites, disable at least the following types of cipher suites:
Null cipher suite.
Anonymous cipher suite.
EXPORT cipher suite.
Use sufficiently secure Diffie-Hellman parameters (at least 2048 bits) for cipher suites that use the ephemeral Diffie-Hellman key exchange (signified by the DHE or EDH strings in the cipher suite name).
Use TLS version 1.3 with all other protocols disabled.
Include the www subdomain to a certificate.
Do not include unqualified domain names in a certificate.
Do not include IP addresses in a certificate.
Avoid using wildcard certifications, for example, *.website.local. Only use wildcard certificates where you really need to, and not for convenience.
Do not use wildcard certificates for systems at different trust levels.
If wildcard certificates are used:
Limit the scope of a wildcard certificate by issuing it for a subdomain such as *.foo.bar.website.local.
Consider using a reverse proxy that does TLS termination so that the wildcard private key is only present on one system.
Maintain all systems that share the same wildcard certificate so that they can all be updated if the certificate expires or is compromised.
Use Certification Authority Authorization (CAA) DNS records to define which CAs are permitted to issue certificates for a domain.
Provide the full certificate chain.
Disable caching for GET, HEAD and POST requests that pass sensitive data. Add the following HTTP header to disable caching for such requests:
Add HTTP Strict-Transport-Security response header to protect a user from downgrade attacks:
Use TLS to encrypt communications, see the section.
Use at least the base cookie format to instruct the browser to only send cookies over encrypted HTTPS connections, see the page.
Prevent caching of sensitive data, see the section.
Add secure HTTP headers that help to protect from downgrade attacks, cookie hijacking and other attacks, see the section.
Implement work with certificates in accordance with the section.
You can use to select the software you are using and create a configuration file that is secure and compatible with a wide variety of browser versions and server software.
If it is necessary to support legacy clients and weak cipher suites, enable the extension to prevent downgrade attacks against clients.
Disable TLS compression to protect against the vulnerability which could potentially be used to recover sensitive information such as session cookies.
You can find guidance on how various web servers can be configured to use these generated parameters at the website.
Use only cryptographically strong algorithms to create a signature, see the page.
Generate keys of the proper size to provide the desired level of security, see the page.
Comply with requirements from the page.
Use strong cryptographic hashing algorithms such as hashing algorithms from the SHA-2 or SHA-3 family, see the page.
Use the of the server as the domain name (or subject) of the certificate.
Set the primary to the commonName (CN) attribute and the full list of in the subjectAlternativeName (SAN) attribute.
Do not include internal domain names in externally facing certificates. If a server is accessible using both internal and external , configure it with multiple certificates.
