📌
Software Security
  • README
  • Prerequisites
    • Prerequisites
  • Introduction
    • Cyber security principles
    • Basic web concepts
      • HTTP
      • JavaScript
      • Cookies
      • SQL
      • DOM
      • APIs and the multitier architecture
    • Basic browser security concepts
      • Same-Origin Policy (SOP)
      • Cross-Origin Resource Sharing (CORS)
      • Cookies
      • Tracking
    • Basic security concepts
      • Hashing
  • Access Control: Basics
    • Authentication
      • Passwords
      • Password managers
      • Attacking passwords - online
      • Attacking passwords - offline
    • Authorization
      • Insecure direct object references
    • Session Management
    • CSRF
      • CSRF: why & how it works
      • Protecting against CSRF attacks
    • SSRF
      • SSRF: how it works and how we can protect against it
  • Access Control: Advanced
    • Authentication
      • Federation
      • Alternative authentication mechanisms
      • FIDO2 and WebAuthn
  • Injection attacks
    • Injection attacks
    • SQL Injection
    • Command Injection
    • Cross-site scripting
      • Input validation
      • Context sensitive output encoding
      • About the HttpOnly flag
      • Content Security Policy
    • Subresource integrity
    • Sandboxing
  • HTTPS
    • HTTPS
    • Introduction to cryptography
    • PKI
    • Setting up HTTPS
    • References
  • HTTP Headers for security
    • HTTP Headers
  • Threat Modeling
    • Threat modeling introduction
    • Threat modeling basics
    • Inspiration for threats
  • Bringing it all together
    • A comprehensive overview of controls
Powered by GitBook
On this page
  • Create a keypair and get a certificate
  • Configure redirects from HTTP to HTTPS
  • Configure your server with adequate cipher suites
  • Set the HSTS header
  • Set up Certificate Transparency monitoring

Was this helpful?

  1. HTTPS

Setting up HTTPS

PreviousPKINextReferences

Last updated 1 year ago

Was this helpful?

Apart from the theoretical concepts shown in the previous sections, there are six actions that you must take to set up a HTTPS enabled web server from scratch:

  • Create a keypair and get a certificate

  • Configure redirects from HTTP to HTTPS

  • Configure your server with adequate cipher suites

  • Set the HSTS header

  • Set up Certificate Transparency Monitoring

Note that alternative lists exist (such as ). The six steps mentioned here are the most important steps though.

Create a keypair and get a certificate

By now you know what a keypair is, and what a certificate is. You also know that a certificate links the public key of your server to the domain name of your server (e.g. example.com). That means you have to find a CA where you can send your public key, and who is prepared to create a certificate linking it to a domain you own.

Domain ownership is typically validated in one of the following ways:

  • the CA will ask you to add a DNS TXT record, proving you are in control of the DNS servers of the domain you are requesting a certificate for

  • the CA will ask you to upload a file to your HTTP website, proving you are in control of the web server of the domain you are requesting a certificate for

Many certificate authorities exist, such as Globalsign, Digicert, Let's Encrypt, and others. Let's Encrypt is by far the most user-friendly CA, since scripts and tools exist that can be run on your web server that automatically generate a keypair and do the domain validation for you. The only thing you still have to do is configuring the script. The most well-known bot that is able to do this generation for you is .

Configure redirects from HTTP to HTTPS

You cannot disable HTTP completely. This would deny requests from users that first try to hit the HTTP variant of your website (a default of most browser is indeed to first try port 80, the HTTP port). Unless you can be certain that all users will directly try HTTPS, it is better to configure redirects from HTTP to HTTPS.

Configure your server with adequate cipher suites

In the previous sections we have seen that HTTPS goes through a certificate verification phase, a key exchange phase, and only then through a bulk encryption phase. All of these phases require different algorithms. The combination of these algorithms is called a cipher suite. Examples of cipher suites are the following:

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Set the HSTS header

Set up Certificate Transparency monitoring

While we won't go into detail to explain these further, I highly recommend reading . It is simply important to understand that not all cipher suites offer the same protection. Encryption algorithms that were strong in the past, may be broken today. This configuration is often done on web server level, and in some cases even requires some changes to the OS. A great configuration generator for a wide range of web servers can be found here: https://ssl-config.mozilla.org/ , be sure to take a look at it.

HTTP Strict Transport Security (HSTS) is a HTTP security header that you can use to tell the browser to immediately connect to the HTTPS port (443) the next time it issues a request. As mentioned in the section about configuring redirects from HTTP to HTTPS, virtually all browsers first try to reach your website over HTTP. By setting the HSTS header, you can instruct the browser to skip trying the HTTP port and immediately try the HTTPS port. This is important to defend against attacks like .

CAs can be hacked (the case). When this happens, the attacker can issue certificates for virtually every domain he or she wishes. Certificate Transparency is a standard which mandates that all certificates that are issued are written to a public log. Owners of web server domains can subscribe to these logs to get notifications when certificates are issued for their domain.

For example, if you own the domain www.example.org, and you have set up Let's Encrypt as your CA, you may become suspicious when you receive a mail that a certificate for the domain www.example.org was issued by Globalsign. An example of where such logs can be checked is .

An alternative to all steps above is to simply put a proxy in front of your web server. is a well-known cloud proxy that can be used to simplify HTTPS deployment. However, care must be taken with these set-ups since these proxies only protect the traffic flowing between users of your web server and Cloudflare, not between Cloudflare and your web server.

this one
Certbot
this in-depth guide about cipher suites
SSLStrip
Diginotar
crt.sh
Cloudflare