Link To The SSLLabs.com Test
100% on Certificate
Use trusted/well known CAs for your SSL certificates only
Use SHA256 or above certificates (drop and totally forget SHA1)
Setup your certificate correctly and with a chain in proper order
100% on Protocol
Use TLSv1.2 only as the SSL protocol for your web server.
100% on Key Exchange
Use 4096 Bit private keys with 4096 Bit dhparams. Not recommended to go above that due to performance and compatibility issues.
90% on Ciphers
Use the following ciphers:
Set “ssl_prefer_server_ciphers” to “on” to force the client to apply one of the ciphers from above.
Setup and activate OCSP stapling on your server to serve client OCSP requests from your web server instead of letting clients sending their OCSP requests to the cert CA. This will protect the privacy of your visitors and the cert CA never gets to know that your visitors connected to your site.
Set ssl_session_cache to atleast "shared:SSL:10m"
Set ssl_session_timeout to atleast "10m"
HTTP Strict Transport Security (HSTS)
Setup and enable HSTS on your server (code below):
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
HTTP Public Key Pinning (HPKP)
Setup and activate HPKP on your server to prevent MITM attacks with forged certificates (eg: shitty Avast web protect and etc..)
add_header Public-Key-Pins 'pin-sha256="base64string"; max-age=63072000; includeSubDomains';
(base64string is the actual base64 string of your certificate, you can also add more pins for the CSR and etc..)
We now have 100% on Certificate, Protocol, and Key Exchange with 90% on Cipher Strength. Ignore the other 10% of Ciper Strength. Ciphers that would fix this 10% cause issues with SPDY/H2 and so on (including issues with some even modern browsers). This is just a checklist for a almost perfect SSL setup with a A+ rating on the Qualys SSL Labs server test.