How to get an A+ grade with your Free SSL and Secure Headers.

Update (02/09/2019): Please keep in mind that these settings are for cPanel servers running Web Host Manager (WHM) and Apache.  If you’ve got an NGINX installation, we’re writing a new article for you soon.

Update (11/17/2018): While this article primarily talks about a FreeSSL, these steps apply to any SSL really since the SSL is only as good as the encryption that the web server actually provides.  This article changes the web server settings and as such, changes the encryption offered for any SSL certificate.  These steps have provided PCI DSS, HIPAA and NIST compliance per High-Tech Bridge.

So, you have website hosting, they’ve given you a FreeSSL (a.k.a. AutoSSL) from cPanel and you’ve visited  Qualys SSL LabsHigh-Tech Bridge or some other SSL testing site and found that you’re getting a “B” grade at best due to something called “Forward Secrecy Question” or ECDHE limiting your grade. How do you get that grade to an “A+” you might ask. Some would think that you need to buy an SSL when the fact of the matter is that you probably just need to make a few tweaks to your .htaccess file, your Apache configuration or both.

One reason that we prefer the High-Tech Bridge site is that the report clearly shows if your site is PCI DSS, HIPAA or NIST security compliant.  So if you accept credit cards, then you’ll want to make sure that your site is PCI DSS compliant so that accepting credit cards won’t be a problem since some payment processing companies perform their own scans to ensure that your SSL certificate meets regulations.

Security Headers

To start, we’ll begin with the security headers. These headers control a number of items that browsers read and as such it tells a browser how long to cache files, find pages and how to display websites. There are about 16 lines of code that you can add to your .htaccess file that will help right out of the gate. Those lines are:

1
## HIGH GRADE SSL SETTINGS # These force additional security for all pages. These values result in an "A+" # grade at https://securityheaders.com/. These also help the High-Tech Bridge # test get an "A+" rating at: https://www.htbridge.com/ssl/. # Header always set Content-Security-Policy "default-src https: data:" # ^^ **The above breaks Gutenberg and other WP components badly. Keeping this as a warning. ** ^^ Header always set Content-Security-Policy "default-src='https:' report-uri='https://{your-domain.com}/csp-reportOnly'" Header set Strict-Transport-Security "max-age=31536000" env=HTTPS Header set X-Frame-Options "SAMEORIGIN" Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options "nosniff" Header set X-UA-Compatible "IE=Edge" Header set Referrer-Policy "strict-origin" Header set Cache-Control "no-transform" Header set Feature-Policy "vibrate 'self'; sync-xhr 'self' https://{your-domain.com}" Header set Expect-CT "max-age=0, report-uri='https://{your-domain.com}/ct-reportOnly'" # END HIGH GRADE SSL SETTINGS

Make sure that you change the  {your-domain.com} parts to your actual domain.  You can also omit the “report-uri” directive if you want since it’s really not needed.

Side note: If you want to view full error reporting for the URI, then pay a visit to Report URI for a free account.

If you haven’t already, then make sure you’re also forcing HTTPS on your visitors so that all pages are only served via secure channels.  You can achieve this by adding the following lines:

1
# Force HTTPS RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] # End Force HTTPS

Now that you’ve added those, head on over to the Security Headers website and test your site to make sure that all of the security headers are valid. If so, you should have an “A+” score. If not, scroll down and read the warnings or errors that are causing to not get the full “A+” score.

Setting the Encryption in Apache and WHM

Now that the headers are done, you can visit  Qualys SSL Labs or High-Tech Bridge to test your SSL certificate to see if you get an “A+” grade there as well. If not, you’re probably missing some encryption ciphers or you have encryption ciphers that decrease the encryption or widen it for support of more devices and more browsers (i.e. older browsers that you shouldn’t support if security matters — looking at you IE 6 and Outlook Express. If that’s the case, read on.

To configure TLS for Apache, i.e. your web server, log in to your Web Hosting Manager (WHM) and navigate to Home -> Service Configuration -> Apache Configuration -> Global Configuration. The protocol and cipher settings will be the first two in that interface. The following is the default for cPanel version 68 and higher for the SSL Cipher Suite:

1
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Change that to be:

1
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

For the SSL/TLS protocols, it probably just has All -SSLv2 -SSLv3, so you need to add -TLSv1 to the list so that TLS v1.0 is turned off, which is required to obtain PCI DSS compliance, like so:

1
All -SSLv2 -SSLv3 -TLSv1

Save the Apache Global configuration, then scroll down and click “Rebuild Configuration and Restart Apache.”

Usually, the client’s preference will be used when choosing the protocol and cipher that will be used when establishing a secure connection. If may need to use the server’s preference, add the following in Home > Service Configuration > Apache Configuration > Include Editor > Pre VirtualHost Include, select “All versions” from the pull-down menu, then add the following to the text box that appears:

1
<IfModule ssl_module> SSLHonorCipherOrder On </IfModule>

Click the “Update” button and then click “Restart Apache”.  That should take care of it. Save your Apache settings, then rebuild and restart the Apache service so that the changes can go into effect. From there, visit  Qualys SSL Labs or High-Tech Bridge again to retest your site to see if any further changes are needed.

We’re interested to know how this works for you. Leave a comment below!