Perfectionist's guide to TLS optimizations and HTTP header security
Not every HTTPS site is equal, and there is a big role Transport Layer Security (formerly called Secure Socket Layer) plays in web security and performance.
Furthermore, there are HTTP headers that can enforce browsers to make our web sites and applications secure. In this talk, we will take a plain HTTP site and apply TLS security tightening and performance optimizations to maximize the TLS connection security and performance.
- Dual RSA/ECC certificate setup.
- OCSP stapling and must-staple extension
- DNS CAA records
- TLS 1.3
- HSTS and HSTS preloading
- TLS versions and cipher suits
At the end of this part, we will tune our once-insecure site to score 100% in SSL Labs TLS test.
In the second part, we will learn about HTTP headers that can improve performance and most importantly, the security of web applications.
Modern HTTP headers such as CSP, HSTS, and Feature Policy can effectively minimize the impact of security breaches, and it could mean savings on both revenue and user trust the worst were to happen.
There will be a short Q&A, and we will be taking a look at some of the additional tools we can use to monitor the web sites for fraudulent HTTPS certificates, and how to act in case your TLS stack is compromised.