HTTPS Is the Baseline — But It's Not Enough on Its Own
Having a padlock icon in the browser doesn't automatically mean your site is secure. A certificate simply tells visitors that the connection between them and your server is encrypted. Poor TLS configuration, weak cipher suites, expired certificates, or mixed content can still expose visitors to serious risk. This guide covers what proper SSL/TLS implementation actually looks like.
Choose the Right Certificate Type
Certificates come in three validation levels:
- Domain Validation (DV): Confirms you control the domain. Issued quickly and available free from Let's Encrypt. Appropriate for most websites.
- Organization Validation (OV): Includes vetting of your organization's identity. Visible in certificate details. Suitable for business websites handling user accounts.
- Extended Validation (EV): Highest level of identity verification. Historically showed green address bars (now deprecated in most browsers). Appropriate for high-trust environments like banking and payment pages.
For most websites, a free DV certificate from Let's Encrypt is entirely appropriate and trusted by all major browsers.
Use Modern TLS Versions Only
Older protocol versions contain known vulnerabilities that make connections susceptible to downgrade attacks.
| Protocol | Status | Action |
|---|---|---|
| SSL 2.0 / 3.0 | Broken | Disable immediately |
| TLS 1.0 | Deprecated | Disable |
| TLS 1.1 | Deprecated | Disable |
| TLS 1.2 | Acceptable | Keep, but prefer 1.3 |
| TLS 1.3 | Current standard | Enable and prioritize |
Configure Strong Cipher Suites
Cipher suites define the cryptographic algorithms used during a TLS handshake. Weak or outdated ciphers (RC4, DES, 3DES, export-grade ciphers) should be disabled. Prioritize cipher suites that offer:
- Perfect Forward Secrecy (PFS): Ensures that even if your private key is compromised in the future, past sessions cannot be decrypted. Use ECDHE or DHE key exchange algorithms.
- AEAD encryption: AES-GCM and ChaCha20-Poly1305 are the preferred modern cipher implementations.
Tools like Mozilla's SSL Configuration Generator provide ready-to-use configuration templates for Apache, Nginx, and other web servers based on your target browser compatibility.
Implement HTTP Strict Transport Security (HSTS)
HSTS tells browsers that your site should only ever be accessed over HTTPS, preventing SSL-stripping attacks. Add the following HTTP header to your server configuration:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadmax-age: How long browsers should remember to use HTTPS (one year is standard).includeSubDomains: Extends protection to all subdomains.preload: Enables submission to the HSTS preload list, hardcoding your site as HTTPS-only in browsers.
Caution: Before enabling HSTS preloading, ensure every subdomain is accessible over HTTPS. This setting is difficult to reverse.
Eliminate Mixed Content
Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets) over HTTP. This undermines the security of the encrypted connection and triggers browser warnings. Use browser developer tools or a service like SSL Labs' SSL Test to identify mixed content issues.
Automate Certificate Renewal
An expired certificate takes your site offline and destroys user trust instantly. Let's Encrypt certificates expire every 90 days. Use Certbot or your hosting panel's built-in renewal tools to automate renewal and configure email alerts for renewal failures.
Test Your Configuration
After configuring TLS, verify your implementation with these free tools:
- SSL Labs Server Test (ssllabs.com/ssltest): Comprehensive grading of your TLS configuration.
- Security Headers (securityheaders.com): Checks for HSTS, CSP, and other security headers.
- testssl.sh: Command-line tool for detailed local TLS testing.
Proper TLS configuration is one of the most impactful and cost-effective security measures you can implement. Combined with HSTS, strong cipher suites, and automated renewal, it forms the backbone of your site's transport security.