SSL/TLS Hardening Guide
Configuring your web server's SSL/TLS settings correctly is critical to protecting data in transit. Outdated protocols and weak cipher suites expose your application to downgrade attacks, decryption, and interception.
Security Profiles
We base our configurations on the industry-standard [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/).
TLS 1.3 vs TLS 1.2
TLS 1.3 is the newest standard. It removes support for outdated cryptography algorithms and reduces the handshake time, resulting in faster and more secure connections. In TLS 1.3, cipher suites are vastly simplified and you generally do not need to configure them manually.
OCSP Stapling
When a client connects to your server via HTTPS, it usually contacts your Certificate Authority (CA) to check if your certificate has been revoked. OCSP Stapling allows your server to periodically download this revocation status and "staple" it to the initial TLS handshake.
This: