- Use certificates with at least sha-256 hash algorithms (including intermediate certificates).
- Use strong cipher suites (only 3 are allowed on my server: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256:ECDHE-RSA-AES256-SHA). Forward secrecy is deployed if ECDHE or DHE key-exchanges are used.
- Disable SSL2, SSL3.
- Enable HSTS, add domain to HSTS preload list.
- Enable OCSP stapling and SPDY/3 for best performance.