From 68e9681240ac62f6f61c7926ecdf701aa0c17ed3 Mon Sep 17 00:00:00 2001 From: jeroen Date: Tue, 23 Aug 2022 17:37:27 +0200 Subject: [PATCH] Update SECURITY.md: add OCSP stapling and disabled TLS session tickets --- SECURITY.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index c6a3418..16e3e50 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -15,7 +15,11 @@ This Gitea instance is configured following best practices, in order to thwart l ### Web front-end - Any plain-text (HTTP) traffic is redirected to the TLS secure counterpart (HTTPS). -- TLS (or more specifically: TLSv1.2 and TLSv1.3) is used for transit encryption, with the following ciphers: `ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:AES-256-GCM-SHA384:EECDH+AESGCM:EDH+AESGCM` and with HSTS. +- TLS (or more specifically: TLSv1.2 and TLSv1.3) is used for transit encryption - with HSTS and the following ciphers: + ``` + ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:AES-256-GCM-SHA384:EECDH+AESGCM:EDH+AESGCM +- OCSP stapling is enabled. +- TLS session tickets are disabled (at least until Nginx fixes this properly). ### Networking