How to get an A+ grade with your Free SSL and Secure Headers.

So, you have website hosting, they’ve given you a FreeSSL (a.k.a. AutoSSL) from cPanel and you’ve visited  Qualys SSL Labs, High-Tech Bridge or some other SSL testing site and found that you’re getting a “B” grade at best due to something called “Forward Secrecy Question” or ECDHE limiting your grade. How do you get that grade to an “A+” you might ask. Some would think that you need to buy an SSL when the fact of the matter is that you probably just need to make a few tweaks to your .htaccess file, your Apache configuration or both.

One reason that we prefer the High-Tech Bridge site is that the report clearly shows if your site is PCI DSS, HIPAA or NIST security compliant.  So if you accept credit cards, then you’ll want to make sure that your site is PCI DSS compliant so that accepting credit cards won’t be a problem since some payment processing companies perform their own scans to ensure that your SSL certificate meets regulations.

Security Headers

To start, we’ll begin with the security headers. These headers control a number of items that browsers read and as such it tells a browser how long to cache files, find pages and how to display websites. There are about 16 lines of code that you can add to your .htaccess file that will help right out of the gate. Those lines are:


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
## HIGH GRADE SSL SETTINGS
# These force additional security for all pages. These values result in an "A+"
# grade at https://securityheaders.com/. These also help the Qualsys SSL Labs
# test get an "A+" rating at: https://www.ssllabs.com/ssltest/index.html.
# Header always set Content-Security-Policy "default-src https: data:"
# ^^ **The above breaks Gutenberg and other WP components badly. Keeping this as a warning. ** ^^
Header always set Content-Security-Policy "default-src='https:' report-uri='https://{your-domain.com}/csp-reportOnly'"
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set X-UA-Compatible "IE=Edge"
Header set Referrer-Policy "strict-origin"
Header set Cache-Control "no-transform"
Header set Feature-Policy "vibrate 'self'; sync-xhr 'self' https://{your-domain.com}"
Header set Expect-CT "max-age=0, report-uri='https://{your-domain.com}/ct-reportOnly'"
# END HIGH GRADE SSL SETTINGS

Make sure that you change the  {your-domain.com} parts to your actual domain.

Now that you’ve added those, head on over to the  Security Headers website and test your site to make sure that all of the security headers are valid. If so, you should have an “A+” score. If not, scroll down and read the warnings or errors that are causing to not get the full “A+” score.

Setting the Encryption in Apache and WHM

Now that the headers are done, you can visit Qualys SSL Labs or High-Tech Bridge to test your SSL certificate to see if you get an “A+” grade there as well. If not, you’re probably missing some encryption ciphers that increase the encryption or widen it for support of more devices and more browsers. If that’s the case, read on.

To configure TLS for Apache, i.e. your web server, log in to your Web Hosting Manager (WHM) and navigate to Home -> Service Configuration -> Apache Configuration -> Global Configuration. The protocol and cipher settings will be the first two in that interface. The following is the default for cPanel version 68 and higher for the SSL Cipher Suite:

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Change that to be:

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

For the SSL/TLS protocols, it probably just has “All -SSLv2 -SSLv3”, so you need to add “-TLSv1” to the list like so:

All -SSLv2 -SSLv3 -TLSv1

Save the Apache Global configuration, then scroll down and click “Rebuild Configuration and Restart Apache.”

Usually, the client’s preference will be used when choosing the protocol and cipher that will be used when establishing a secure connection. If you want to use the server’s preference, add the following in Home > Service Configuration > Apache Configuration > Include Editor > Pre VirtualHost Include, select “All versions” from the pull-down menu, then add the following to the text box that appears:

<IfModule ssl_module>
SSLHonorCipherOrder On
</IfModule>

Click the “Update” button and then click “Restart Apache”.  That should take care of it. Save your Apache settings, then rebuild and restart the Apache service so that the changes can go into effect. From there, visit Qualys SSL Labs or High-Tech Bridge again to retest your site to see if any further changes are needed.

We’re interested to know how this works for you. Leave a comment below!