Security
Advanced security topics and best practices for web protection
15 articles in this category
TLS Cipher Suites Explained: How to Read Them and Choose the Right Ones
A cipher suite is the bundle of algorithms that secures a TLS connection. Learn to read a suite name like TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, why forward secrecy is the part that matters most, how TLS 1.3 cut the list to five AEAD suites, and which weak suites to disable.
What Is SNI? Server Name Indication, ESNI, and Encrypted Client Hello
Server Name Indication (SNI) lets one IP host many HTTPS sites, each with its own certificate, by naming the hostname in the TLS handshake — in plaintext. Learn how SNI works, how it differs from multi-domain certificates, and how Encrypted Client Hello (ECH) finally encrypts it.
Certificate Revocation Explained: CRL vs OCSP in 2026
How certificate revocation actually works — CRLs, OCSP, and OCSP stapling — why browser soft-fail undermines all of them, and why Let's Encrypt, the CA/Browser Forum, and Firefox spent 2025 moving back to CRLs and short-lived certificates.
SSL Certificate Errors: What Each One Means and How to Fix It
Every common SSL error decoded by its browser code — expired certificates, name mismatches, untrusted issuers, protocol failures and revocations — with the exact cause and fix for each, plus the OpenSSL commands to diagnose them.
Mixed Content Errors: What They Are and How to Fix Them
Mixed content errors occur when an HTTPS page loads HTTP resources. Learn active vs passive types, how Chrome and Firefox handle them, and step-by-step fixes for WordPress, Nginx, Apache, and IIS.
OCSP Stapling Explained: What It Is, How It Works, and How to Enable It
OCSP stapling caches a CA-signed revocation proof on your server and delivers it at TLS handshake time, eliminating a browser roundtrip and a privacy leak to the CA. Learn how to enable it on Nginx, Apache, and IIS.
TLS 1.3 vs TLS 1.2: Key Differences, Security Improvements, and How to Enable It
TLS 1.3 cuts the handshake to one round-trip, mandates forward secrecy, and encrypts certificates. Learn what changed from TLS 1.2 and how to enable it on Nginx, Apache, and IIS.
HSTS: What It Is, How It Works, and How to Enable It
HTTP Strict Transport Security (HSTS) forces browsers to use HTTPS-only connections. Learn the header syntax, server config for Nginx, Apache, and IIS, and the HSTS preload list requirements.
CA/Browser Forum Domain Validation Changes in 2026
Understand CA/Browser Forum 2026 changes: mandatory DNSSEC validation (SC-085), email/phone DCV sunset (SC-090), and what website owners must do to prepare.
The SSL Certificate Expiration Problem: Why Shorter Lifetimes Will Cause More Outages
Learn why shorter SSL certificate lifetimes increase outage risk. Understand certificate expiration as a reliability problem and how to prevent renewal failures.
2026 SSL Certificate Guidelines: 47-Day Lifetime Changes Explained
Learn about the CA/Browser Forum Ballot SC-081 reducing SSL certificate lifetimes to 200 days (2026), 100 days (2027), and 47 days (2029). Prepare your organization now.
CAA Record Guide: Certificate Authority Authorization
Learn what CAA records are, how they protect your domain from unauthorized SSL certificate issuance, and how to configure CAA DNS records step-by-step.