With the increasing requirement to secure communications online, we’re going to look at how to quickly and easily get started with HTTPS. Taking a website from HTTP to HTTPS, including obtaining a certificate and TLS configuration, all within an hour! On top of our deployment of HTTPS we’ll look at modern application defences that can assist us in providing a secure browsing experience to our users. Content Security Policy, Upgrade Insecure Requests and HTTP Strict Transport Security are all features that modern applications should leverage so we’ll be setting those up too. The securityheaders.com and ssllabs.com security analysers are canonical resources for their respective areas and we’re going to achieve an A+ grade on both of them.
RESOURCES MENTIONED IN THIS SESSION:
- SSL Labs: https://www.ssllabs.com/ssltest/
- Security Headers: https://securityheaders.com/
- Let’s Encrypt: https://letsencrypt.org/
- ACME Tools/Clients
- ACME Tiny: https://github.com/diafygi/acme-tiny
- CertBot: https://certbot.eff.org/
- ACME.sh: https://github.com/Neilpang/acme.sh
- Mozilla Config Generator: https://ssl-config.mozilla.org/
- Crawler data: https://crawler.ninja/files/sts-sites.txt
- Support checker: https://caniuse.com/
- Certificate Transparency
- Intro post: https://scotthelme.co.uk/certificate-transparency-an-introduction/
- Monitoring: https://scotthelme.co.uk/announcing-ct-monitoring-for-report-uri/
- crt.sh: https://crt.sh/
- Censys: https://censys.io/certificates