TLS Configuration SOP
A padlock isn't a config audit. Verify the actual handshake.
— Step 1: Disable TLS 1.0 and 1.1 at the server; allow 1.2 and 1.3 only.
— Step 2: Remove weak ciphers — no RC4, no 3DES, no CBC where you can avoid it.
— Step 3: Verify with an SSL test tool; the target is an A or A+, no exceptions.
— Step 4: Force HTTPS with a 301, then confirm no mixed-content warnings in the console.
— Step 5: Set OCSP stapling so revocation checks don't slow the handshake.
— Step 6: Confirm certificate auto-renewal works and alerts you 14 days before expiry.
Do this on every domain and subdomain.
Run this every time.
Lockdown Ledger
@LockdownLedger
TLS Configuration SOP
Этот пост опубликован в Telegram-канале Lockdown Ledger. Подписаться можно по ссылке: @LockdownLedger.