Implementing Apache TLS

This configuration (including the Header directive) gets an A+ rating from Qualys SSL Labs; <VirtualHost *:443> ... Header set Strict-Transport-Security "max-age=31536000; includeSubdomains" SSLEngine on SSLCertificateFile /etc/letsencrypt/live/itsthe.network/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/itsthe.network/privkey.pem SSLCACertificateFile /etc/letsencrypt/live/itsthe.network/fullchain.pem SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4@STRENGTH SSLHonorCipherOrder on ... </VirtualHost>

Implementing Apache Security Headers

Simply add the following headers to either a VirtualHost directive (as demonstrated below) or in the main configuration: <VirtualHost *:443> ... Header set X-Frame-Options SAMEORIGIN Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options nosniff Header set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" Header set Referrer-Policy no-referrer ServerName ... </VirtualHost> Add these to the main configuration will also minimise information leakage: ServerTokens Prod ServerSignature Off Use the Security Headers site to test the results.