SSL/TLS Security

What is SSL/TLS Security?

SSL/TLS certificates encrypt data transmitted between your server and users' browsers. Proper SSL/TLS configuration is essential for protecting sensitive data and maintaining user trust.

Security Impact

Severity: Critical

• Data interception and man-in-the-middle attacks
• Credential theft
• Loss of user trust
• SEO penalties
• Browser security warnings

How to Fix

1. Obtain an SSL Certificate

Free Options:

• Let's Encrypt (automated, recommended)
• Cloudflare SSL

Commercial Options:

• DigiCert
• Comodo
• GlobalSign

2. Install SSL Certificate

Using Let's Encrypt with Certbot:

# Install Certbot
sudo apt-get update
sudo apt-get install certbot python3-certbot-nginx

# Obtain and install certificate
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

# Auto-renewal (already configured)
sudo certbot renew --dry-run

3. Force HTTPS in Laravel

// app/Providers/AppServiceProvider.php
use Illuminate\Support\Facades\URL;

public function boot()
{
    if ($this->app->environment('production')) {
        URL::forceScheme('https');
    }
}

4. Configure Nginx for SSL

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    # Strong SSL Security
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem;

    # Security Headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    root /var/www/html/public;
    index index.php;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }
}

# Redirect HTTP to HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$server_name$request_uri;
}

5. Configure Apache for SSL

<VirtualHost *:443>
    ServerName yourdomain.com
    ServerAlias www.yourdomain.com
    DocumentRoot /var/www/html/public

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/chain.pem

    # Strong SSL Configuration
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite HIGH:!aNULL:!MD5
    SSLHonorCipherOrder on

    <Directory /var/www/html/public>
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:80>
    ServerName yourdomain.com
    Redirect permanent / https://yourdomain.com/
</VirtualHost>

6. Update Laravel Configuration

# .env
APP_URL=https://yourdomain.com
SESSION_SECURE_COOKIE=true
SANCTUM_STATEFUL_DOMAINS=yourdomain.com,www.yourdomain.com

// config/session.php
'secure' => env('SESSION_SECURE_COOKIE', true),
'http_only' => true,
'same_site' => 'lax',

Verification Steps

1. Visit your site at https://yourdomain.com - should load without warnings
2. Check SSL Labs: SSL Server Test
3. Verify HSTS header is present
4. Test HTTP to HTTPS redirect
5. Check certificate expiration date
6. Verify certificate chain is complete

Advanced Configuration

HTTP/2 Support

Ensure HTTP/2 is enabled for better performance:

listen 443 ssl http2;

Certificate Monitoring

Set up monitoring for certificate expiration:

# Check certificate expiration
openssl x509 -enddate -noout -in /etc/letsencrypt/live/yourdomain.com/cert.pem

# Set up renewal reminder
0 0 1 * * /usr/bin/certbot renew --quiet

HSTS Preloading

Submit your domain to HSTS Preload List:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Common Issues

Mixed Content Warnings

Fix mixed content by ensuring all resources use HTTPS:

{{-- Bad --}}
<script src="http://example.com/script.js"></script>

{{-- Good --}}
<script src="https://example.com/script.js"></script>

{{-- Best: Protocol-relative --}}
<script src="//example.com/script.js"></script>

Certificate Chain Issues

Ensure full certificate chain is installed:

# Test certificate chain
openssl s_client -connect yourdomain.com:443 -showcerts

Related Issues

• Security Headers
• DNS Security
• Email Security