mirror of
https://github.com/PrivSec-dev/privsec.dev
synced 2024-12-21 20:31:33 -05:00
Update Cipher configuration (#118)
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
0a1bd622ee
commit
a93e35a979
@ -32,12 +32,16 @@ These security configurations can be added/modified in `data/conf/nginx/includes
|
||||
|
||||
### SSL Ciphers
|
||||
|
||||
Consider only supporting ciphers matching that of TLSv1.3:
|
||||
Consider only supporting strong ciphers:
|
||||
|
||||
```
|
||||
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256";
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
```
|
||||
|
||||
And prioritize ChaCha ciphers:
|
||||
```
|
||||
ssl_conf_command Options PrioritizeChaCha;
|
||||
```
|
||||
### HSTS
|
||||
|
||||
Consider adding `includeSubDomains;` and `preload;` to the HSTS configuration if all of your services are using HTTPS:
|
||||
@ -93,4 +97,4 @@ If you do not use Gravatar with SOGo, you can also set COEP to require-corp sinc
|
||||
|
||||
```
|
||||
add_header Cross-Origin-Embedder-Policy require-corp;
|
||||
```
|
||||
```
|
||||
|
Loading…
Reference in New Issue
Block a user