• 1 Private Key and Certificate
• 1.1 Use 2048-Bit Private Keys
• 1.2 Protect Private Keys
• 1.3 Ensure Sufficient Hostname Coverage
• 1.4 Obtain Certificates from a Reliable CA
• 1.5 Use Strong Certificate Signature Algorithms
• 1.6 Use DNS CAA
• 2 Configuration
• 2.1 Use Complete Certificate Chains
• 2.2 Use Secure Protocols
• 2.3 Use Secure Cipher Suites
• 2.4 Select Best Cipher Suites
• 2.5 Use Forward Secrecy
• 2.6 Use Strong Key Exchange
• 2.7 Mitigate Known Problems
• 3 Performance
• 3.1 Avoid Too Much Security
• 3.2 Use Session Resumption
• 3.3 Use WAN Optimization and HTTP/2
• 3.4 Cache Public Content
• 3.5 Use OCSP Stapling
• 3.6 Use Fast Cryptographic Primitives
• 4 HTTP and Application Security
• 4.1 Encrypt Everything
• 4.2 Eliminate Mixed Content
• 4.3 Understand and Acknowledge Third-Party Trust
• 4.4 Secure Cookies
• 4.5 Secure HTTP Compression
• 4.6 Deploy HTTP Strict Transport Security
• 4.7 Deploy Content Security Policy
• 4.8 Do Not Cache Sensitive Content
• 4.9 Consider Other Threats
• 5 Validation
• 6 Advanced Topics
• 6.1 Public Key Pinning
• 6.2 DNSSEC and DANE
• 7 Changes
• Version 1.3 (17 September 2013)
• Version 1.4 (8 December 2014)
• Version 1.5 (8 June 2016)
• Version 1.6 (15 January 2020)
• Acknowledgments
• About SSL Labs
• About Qualys