Securing your site with nginx

This week in the Netherlands the news hit again that some secure websites where vulnerable to a downgrade attack. This attack is not new, but for the average user it is hard to detect. You have to be careful that you see the lock when you are entering your credentials.

Fortunately, most new web servers and browsers have a setting for it, called HTTPs Strict Transport Security (HSTS). With that feature enabled, if your browser has ever contacted a website over a secure link (HTTPS), then it will not allow a downgrade to plain HTTP for that host. This of course means that you are more secure, at least as long as you watch out for certificate warnings. I use the nginx webserver, and use some other things for security, which I’ll share with you below. The SSLLabs test will give this configuration an A+ currently.

Edit 26/3: @okoeroo gave me a better list of ciphers which scores even higher with SSLabs:

    ssl_ciphers  ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDH-RSA-AES256-SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_DHE_RSA_WITH_AES_128_CBC_SHA:CAMELLIA256-SHA:AES256-SHA;

Continue reading