The ultimate resource for optimal SSL/TLS configuration
Browse our SSL/TLS Configuration guides to achieve the optimal performance and cybersecurity trust. We’ve covered the most important configurations and best practices and have included specific how-to information for a variety of server types. Choose your tech stack to find articles that only include those solutions.
Download SSL/TLS Best Practices Checklist
Expert Guides
Read deep-dives on Specific SSL/TLS Best Practices
SSL/TLS Best Practices Statistics
How well does the internet implement SSL/TLS best practices?
Basic Configuration Guides by Server Type
SSL/TLS Configuration Guides:
-
What Is HSTS Preload? How to Check & Enable It
HTTP strict transport security (HSTS) preload (also called HSTS preloading) ensures that browsers always connect to your website securely via the hypertext transfer protocol (HTTPS). It preloads your domain into a list that a browser checks before loading a domain, enforcing encrypted connections by default from the very first connection. …
-
What Is OCSP Stapling and How Does It Work?
OCSP stapling is a performance-enhancing and privacy-protecting extension to the online certificate status protocol (OCSP). Basically, its job is to streamline validating an SSL/TLS certificate’s revocation status. Without OCSP stapling, browsers directly contact the certificate authority (CA) to verify the certificate’s status — a process that introduces latency and results in…
-
Do I Need a CAA Record? How to Check & Add One
A certificate authority authorization (CAA) record is a DNS resource that boosts security by giving site owners control over which certification authorities (CAs) can issue SSL/TLS certificates for their domains. Managing these critical domain name system (DNS) records is integral to Learn how to create and add a CAA record…
SSL/TLS Configuration Statistics
When you visit a website that displays the padlock, you might assume it’s secure. But how many of those sites have actually configured secure encryption? How many websites follow basic SSL/TLS best practices? We took the top 100 websites (by traffic) and compared their SSL/TLS configurations to a random cross-section sites across the web. See how they stack up:
| SSL/TLS Best Practice | Top 100 websites | Random Cross-section |
|---|---|---|
| Disabled SSL V2 | 100% | 99.82% |
| Disabled SSL V3 | 99% | 98.42% |
| Has TLS 1 | 40% | 23.47% |
| Has TLS 1.1 | 41% | 25.04% |
| Has TLS 1.2 | 100.00% | 60.42% |
| Has TLS 1.3 | 86% | 60.77% |
| HSTS Offered | 55% | 16.81% |
| HSTS Preload Enabled | 30% | 0.09% |
| Has CAA Record | N/A | 4.38% |
| Has OCSP Stapling | N/A | 35.55% |
| http redirects to https | 71% | 76.97% |
| Has Intermediate Certificate | N/A | 72.24% |
SSL/TLS Deployment Best Practices Course:
Learn the basic components of SSL/TLS configuration by Ivan Ristić, the author of SSL Labs. Taken from his book Bulletproof SSL and TLS, the following video covers the configuration best practices of Keys, Certificates, Protocols, Suites, and more!
Video Contents:
- Keys: Algorithms, Size, & Management
- Certificates: Validation, Hostnames, Sharing, Lifetime, Signature Algorithms, & Chain Correctness
- Protocol Configuration
- SSL Pulse: Protocol Support, Forward Secrecy
- Suites: Configuration, Compatibility, & New Suites Coming Soon