SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
SSLOpenSSLConfCmd Curves secp384r1
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLUseStapling on
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_staping(32768)
The Content Security Policy allows loading fonts from Google and bootstrap from Cloudflare.
SSLEngine on
SSLCertificateFile /var/lib/dehydrated/certs/website-ecc/fullchain.pem
SSLCertificateKeyFile /var/lib/dehydrated/certs/website-ecc/privkey.pem
SSLCertificateFile /var/lib/dehydrated/certs/website-rsa/fullchain.pem
SSLCertificateKeyFile /var/lib/dehydrated/certs/website-rsa/privkey.pem
Protocols h2 http/1.1
Header always set Content-Security-Policy "base-uri 'none'; default-src 'none'; font-src 'self' data: https://fonts.gstatic.com; img-src 'self'; form-action 'none'; manifest-src 'self'; object-src 'none'; script-src-elem 'self' https://cdnjs.cloudflare.com; style-src 'self' https://cdnjs.cloudflare.com https://fonts.googleapis.com; frame-ancestors 'none'; require-trusted-types-for 'script'"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()"
Header always set Referrer-Policy "same-origin"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "deny"
- configure dehydrated to obtain both rsa and ecc certificates
- create a CAA record
- register with hstspreload.org