SSL/TLS encrypts traffic between clients and your server. Use modern protocol versions and strong ciphers; automate renewal and protect private keys so your hosting stays secure.
TLS versions
- Use TLS 1.2 or 1.3; disable TLS 1.0, 1.1, and SSLv3 (deprecated and weak).
- Configure the server (or load balancer) to prefer the strongest supported option; test with SSL Labs.
Certificates and renewal
- Automated renewal (e.g. Let's Encrypt, ACME, or provider-managed) avoids expiry surprises.
- Keep private keys on the server with restricted permissions; do not expose or commit them.
- For wildcards or EV, you may need a commercial CA; ensure renewal is scheduled or automated.
Hardening
- HSTS: Tell browsers to use HTTPS only; reduces downgrade risk.
- Strong ciphers: Disable weak or legacy ciphers; prefer forward secrecy.
- Keep the OS and libraries (OpenSSL, etc.) updated so known vulnerabilities are patched.
Summary
Use TLS 1.2/1.3, disable old protocols, prefer automated renewal, and restrict key access. HSTS and strong ciphers improve security; review and test configuration regularly.
