HTTPS and TLS done right — a practical configuration guide | Scanthra

Scanthra · 8 min read · Updated May 2026

Why "we have HTTPS" usually isn't enough

A site that loads on HTTPS but also still responds on plain HTTP — or uses TLS 1.0, an expired cert, or weak ciphers — is the equivalent of a deadbolt on a door that's been left ajar. Every modern security questionnaire, browser warning, and compliance regime (GDPR Art. 32, NIS2 Art. 21(2)(h), PCI DSS 4.0) treats TLS hygiene as a baseline, not an extra.

The five things to get right

1. A valid, modern certificate

Free, automated, trusted by every browser: Let's Encrypt. Most hosting panels (cPanel, Plesk, DirectAdmin, ISPmanager) ship a one-click installer. For VPS users, certbot or acme.sh renew every 60 days automatically. Pick RSA-2048 or ECDSA P-256 — both are fine.

2. HTTPS only — no HTTP, no mixed content

Every plain-HTTP request should redirect to HTTPS with a 301 (not 302 — search engines treat them differently). Mixed content (HTTPS page loading an HTTP image or script) silently breaks the security guarantee — most browsers block it but some legacy embeds get through. Audit with the browser dev tools' "Security" tab.

3. HSTS — tell the browser to remember HTTPS

Without HSTS, every first visit still includes a plain-HTTP request that can be intercepted. The fix is one HTTP response header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

• max-age=31536000 — one year. Start at one month (2592000) while you test, then raise.
• includeSubDomains — apply to every subdomain too. Only add this once you're sure every subdomain serves HTTPS.
• preload — eligible to be baked into browsers' built-in HSTS lists at hstspreload.org. Only submit once everything else is stable; removing yourself from the list takes weeks.

4. Modern protocols and ciphers

Disable SSLv3, TLS 1.0 and TLS 1.1 — they have known weaknesses and no modern client needs them. Enable TLS 1.2 and TLS 1.3.

For nginx (Mozilla "intermediate" baseline, generated from ssl-config.mozilla.org):

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

For Apache:

SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off

5. OCSP stapling and HTTP/2

OCSP stapling lets your server include the cert's revocation status in the TLS handshake, avoiding a separate (slow, sometimes failing) call from the browser to the CA.

ssl_stapling on;
ssl_stapling_verify on;

HTTP/2 isn't a security feature per se, but most modern security checkers count its absence as a sign of an outdated stack:

listen 443 ssl http2;

Cloudflare-only shortcut

If your origin sits behind Cloudflare, most of the above is one toggle:

• SSL/TLS → Overview: set to Full (strict).
• SSL/TLS → Edge Certificates: enable "Always Use HTTPS", "Automatic HTTPS Rewrites", "Minimum TLS Version: TLS 1.2", and turn on HSTS via the panel.
• That covers ~80% of TLS findings without touching the origin server.

Renewal — the boring thing that bites you

The single most common TLS incident is "certificate expired on a Sunday morning, nobody noticed, customers couldn't reach the site for six hours". Two defences:

• Automatic renewal at the cert layer (Let's Encrypt does this by default; verify with certbot renew --dry-run).
• An external monitor — UptimeRobot, Better Uptime, BetterStack or a free Cloudflare cron-style alert — that pings you 14 days before expiry.

How to verify your setup

• Mozilla Observatory — free, gives a letter grade and explains every deduction.
• SSL Labs SSL Test (Qualys) — the canonical TLS deep-dive, still relevant in 2026.
• Scanthra — our SSL/TLS, HSTS and Security Headers modules summarise the same findings in plain language and deliver them as a PDF you can hand to a client or auditor.

Common gotchas

• SNI confusion. Some legacy clients on the same IP can serve the wrong certificate. Use one VirtualHost per cert, keep the default-server cert valid.
• Subdomains forgotten. www. and cdn. often need their own certs or an SAN entry on the main one.
• HSTS-induced lockouts. If you set HSTS with includeSubDomains before every subdomain has TLS, those subdomains become unreachable for the max-age period. Start without includeSubDomains.
• Cipher suite paranoia. Banning every cipher that ever had a weakness will lock out users on old phones. The Mozilla "intermediate" preset is a sensible compromise.

How Scanthra detects TLS issues

Our SSL/TLS module checks: cert validity and expiry, protocol versions supported, HSTS presence and policy, certificate chain trust, and a few common misconfigurations. Findings appear in the report with severity, plain-English explanation and a copy-paste fix — same shape as in this article.