...
For the encryption and decryption to happen in a secure way we have to define what cipher suite we want to cover. The strength of the TLS is directly dependent on the cipher suite that we decide to use. The servers should be configured to disable all week ciphers. The cheat sheet for ciphers can be found in https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet
...
Additional requirements
Having TLS enabled only on certain pages does not accomplish what was intended, some of these are only applicable for the browser(webapp and not for API). For optimum results, these guidelines[1] should also be followed
| Description | WebApp | Rest Client |
|---|---|---|
| All pages must be served over HTTPS. This includes CSS, scripts, images, AJAX requests, POST data and third party includes. Failure to do so creates a vector for man-in-the-middle attacks |
...
| Yes | NA | |
| Just protecting authenticated pages with HTTPS, is not enough. Once there is one request in HTTP, man-in-the-middle attacks are possible, with the attackers being able to prevent users from reaching the secured pages |
...
| Yes | NA | |
| The HTTP Strict Transport Security Header must be used and pre-loaded into browsers. This will instruct compatible browsers to only use HTTPS, even if requested to use HTTP |
...
| Yes | Yes | |
| Cookies must be marked as Secure |
...
| Yes | NA |
Reference
- https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
- https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
- https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet
...