I have been tweeking the configuration on a few client servers to improve the security. For a virtual host on Apache 2 I suggest the following configuration:
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" SSLEngine on SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 SSLHonorCipherOrder on SSLSessionTickets off SSLOptions +StrictRequire
If collecting personal or other sensitive information it is highly recommended to use DNSSEC. Nordea, one of the largest banks in Scandinavia, does not use DNSSEC an receives a security score of only 37% on DK Hostmaster’s testing tool. With very little effort one can get a score of 100%. Is it worth it? – I think, yes!
For testing your configuration I suggest a few handy tools: