HTTPS and SSL/TLS: Configuring Secure Connections for Web Applications

Transport Layer Security is the foundation of secure communication on the web. Without it, every byte of data between your users and your application travels in plain text — subject to interception, modification, and theft by any attacker on the network path.

Certificate Authority Selection and Certificate Types

The journey to HTTPS begins with a certificate. Let's Encrypt has transformed the landscape by providing free, automated certificates via the ACME protocol. For most applications, a Domain Validation (DV) certificate from Let's Encrypt is sufficient. Organization Validation (OV) certificates add a layer of identity verification that enterprise applications may require.

# Certbot automatic certificate issuance with Nginx
certbot --nginx \
  -d soninow.com \
  -d www.soninow.com \
  --non-interactive \
  --agree-tos \
  -m [email protected]

Wildcard certificates cover a domain and all its subdomains, which simplifies management for applications with multiple services. ACME v2 supports wildcard issuance via DNS-01 challenges, requiring API access to your DNS provider for automated renewal.

TLS 1.3 and Cipher Suite Configuration

TLS 1.3 is the current standard — it offers better performance through a reduced handshake latency and eliminates vulnerable cipher suites. Servers should disable TLS 1.0, 1.1, and ideally 1.2 for new deployments.

# Nginx TLS configuration (modern profile)
ssl_protocols TLSv1.3;
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1h;

For services that must support older clients, enable TLS 1.2 with a restricted cipher list that excludes CBC-mode ciphers, RC4, and export-grade algorithms. The Mozilla SSL Configuration Generator provides profiles for intermediate and modern compatibility levels.

HTTP Strict Transport Security (HSTS)

HSTS tells browsers to always connect via HTTPS, preventing downgrade attacks and cookie hijacking on first connection. The preload directive submits your domain to browser vendors for hardcoded HTTPS-only access.

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Start with a lower max-age (3600 seconds) during testing, then increase to two years (63072000 seconds) once you verify no mixed content issues exist. The includeSubDomains directive applies HSTS to all subdomains — ensure every subdomain supports HTTPS before enabling it.

Certificate Chain and OCSP Stapling

The server must send the complete certificate chain (leaf, intermediates, root) to avoid certificate trust failures in browsers. Missing intermediate certificates are one of the most common TLS configuration errors.

OCSP stapling improves both performance and privacy by having the server fetch the certificate revocation status and attach it to the TLS handshake. This eliminates the need for browsers to contact the CA directly.

# Nginx OCSP stapling configuration
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;

Certificate Lifecycle Automation

Manual certificate renewal is a recipe for expired certificates and service outages. ACME clients like Certbot, acme.sh, and Caddy's built-in TLS automate the entire lifecycle.

# acme.sh with DNS API for wildcard certificates
export CF_Token="cloudflare_api_token"
acme.sh --issue \
  --dns dns_cf \
  -d soninow.com \
  -d '*.soninow.com' \
  --reloadcmd "nginx -s reload"

Set monitoring alerts for certificate expiration at 30, 14, and 7 days before expiry, even with automation in place. Services like SSL Labs and Checkmk offer certificate expiration monitoring.

Certificate Pinning and Its Risks

HTTP Public Key Pinning (HPKP) was intended to prevent CA compromise but proved too dangerous in practice — misconfiguration caused permanent site lockouts. Certificate Transparency (CT) logs and Expect-CT headers provide a safer alternative. CT requires every certificate to be logged in public, auditable logs, making misissuance detectable.

Testing Your TLS Configuration

Validate your configuration thoroughly before going live. SSL Labs Server Test provides a comprehensive analysis including certificate chain issues, protocol support, cipher strength, and downgrade attack susceptibility.

# Command-line TLS testing with testssl.sh
docker run --rm drwetter/testssl.sh \
  --severity MEDIUM \
  https://soninow.com

A grade A or A+ rating on SSL Labs should be the minimum target for production applications.

Proper HTTPS configuration is a prerequisite for user trust and search engine ranking. Our <a href="/services/web-development">web application development services</a> include full TLS lifecycle management as part of every deployment. Let us handle the certificates so you can focus on building features.