HTTPS is no longer optional, it's the baseline. But "SSL enabled" isn't enough; modern TLS configuration is critical for both security and performance. This article covers what's different in TLS 1.3, cipher suite selection, extra headers like HSTS/OCSP, and the SSL Labs A+ configuration.
TLS 1.3: What Changed?
Related guides: How to get SSL certificate · OWASP Top 10 2026 · JWT security · SQL injection prevention · Password hashing guide
- 1-RTT handshake (vs 2-RTT in TLS 1.2) — the first connection is cut in half
- 0-RTT resumption — no handshake on repeat visits
- Weak ciphers removed: RC4, 3DES, CBC, MD5, SHA1
- Only AEAD ciphers: AES-GCM, ChaCha20-Poly1305
- Perfect Forward Secrecy (PFS) is mandatory — past traffic stays safe even if the private key leaks
Modern Configuration for Nginx
# /etc/nginx/conf.d/ssl.conf
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
# Modern cipher suite (Mozilla recommendation)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
# Session tickets & cache
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;
# DH params (2048 bit)
ssl_dhparam /etc/nginx/dhparams.pem;
# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;# Generate dhparams.pem (one-time, 5-10 minutes)
sudo openssl dhparam -out /etc/nginx/dhparams.pem 2048HSTS (HTTP Strict Transport Security)
HSTS tells the browser "only reach this domain over HTTPS". Starting with the first response, HTTP connections aren't even attempted for a year — defending against SSL strip attacks.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
# max-age: 1 year (in seconds)
# includeSubDomains: all subdomains included
# preload: request to be added to Chrome's HSTS preload listOCSP Stapling
The browser checks whether a certificate has been revoked (via CRL or OCSP). With OCSP Stapling, the server delivers its own OCSP response alongside the certificate — the browser never has to reach the CA, saving 50-200ms.
Handshake Time Analysis
# Measure TLS handshake time
curl -w "dns: %{time_namelookup}\ntcp: %{time_connect}\ntls: %{time_appconnect}\nttfb: %{time_starttransfer}\ntotal: %{time_total}\n" -o /dev/null -s https://example.com
# Debug with OpenSSL
openssl s_client -connect example.com:443 -tls1_3 -servername example.comCipher Suite Breakdown
A cipher suite consists of four components: ECDHE (key exchange) + RSA/ECDSA (authentication) + AES-GCM/ChaCha20 (symmetric encryption) + SHA-256 (MAC). TLS 1.3 simplified it — only the symmetric+MAC part is specified, the rest is implicit.
ECDSA Certificates
Using an ECDSA P-256 certificate instead of RSA 2048-bit speeds up the TLS handshake by 30-50% and shrinks signature sizes. Let's Encrypt supports ECDSA — use the --key-type ecdsa flag in Certbot.
sudo certbot --nginx --key-type ecdsa --elliptic-curve secp256r1 -d example.comMixed Content
If an HTTPS page loads resources (img, js, css) over HTTP, modern browsers block them. Make all URLs protocol-relative (//cdn.example.com) or explicitly https://.
Content-Security-Policy: upgrade-insecure-requestsChecklist for SSL Labs A+
- TLS 1.2 + TLS 1.3
- Weak protocols disabled (TLS 1.0, 1.1, SSLv3)
- Forward Secrecy
- HSTS header, max-age ≥ 6 months
- Strong ciphers only
- OCSP stapling
- Valid certificate chain
- Correct SNI
- DNS CAA record
# DNS CAA record
example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 0 iodef "mailto:security@example.com"Performance: HTTP/2 and HTTP/3
Once HTTPS is enabled, HTTP/2 is basically free: listen 443 ssl http2;. HTTP/3 (QUIC) is newer — requires Nginx 1.25+ and UDP 443 open. It makes a noticeable difference under packet loss, especially on mobile.
Certificate Renewal Automation
# Check the Certbot timer
systemctl list-timers | grep certbot
# Hook — reload nginx after renewal
echo '#!/bin/bash
systemctl reload nginx' | sudo tee /etc/letsencrypt/renewal-hooks/deploy/reload.sh
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload.sh
# Monitor: alert within 14 days of expiry
# Prometheus blackbox exporter + alertWeb Security and Application Defense
Modern web security uses defense-in-depth: TLS 1.3 and HSTS for encrypted transport, WAF (Web Application Firewall) against OWASP Top 10, BCrypt or Argon2id for password hashing, JWT tokens with proper signature verification (HMAC or RSA), CSRF tokens with SameSite cookies and Content Security Policy to mitigate XSS. Prepared statements prevent SQL injection, fail2ban or rate limiting blocks brute force, and DDoS protection via Cloudflare or anti-DDoS providers is essential. Vulnerability scanning (Burp Suite, OWASP ZAP) and regular security audits significantly reduce data leak and account takeover risks in production.
Conclusion
A modern HTTPS configuration boosts not only security but also performance. TLS 1.3 + ECDSA + HTTP/2 together typically speeds up a site by 20-30%. Getting an A+ on SSL Labs is a 10-minute job; it's a standard that has become a requirement.
Reach out to KEYDAL for SSL Labs A+ configuration, HTTP/3 setup and certificate management. Contact us