Transport Security

Before deploying, verify transport security meets these requirements.

Pre-deploy checklist

  1. TLS version — TLS 1.2 minimum is REQUIRED, TLS 1.3 SHOULD be preferred. Verify TLS 1.0 and 1.1 are disabled entirely.
  2. HSTS — all production domains MUST have the header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. Submit to the HSTS preload list.
  3. Cipher suites — verify the server uses Mozilla's "Intermediate" or "Modern" TLS configuration. Prefer AEAD ciphers (AES-GCM, ChaCha20-Poly1305).
  4. Certificate pinning (mobile apps only) — pin to the intermediate CA (not the leaf). Verify backup pins are included and a recovery plan exists. Consider Certificate Transparency monitoring as a lighter alternative.

Verification tools

  • curl -vI https://yourdomain.com — check TLS version and certificate chain
  • SSL Labs Server Test — comprehensive TLS audit
  • Mozilla Observatory — checks HSTS, CSP, and other security headers

References:

version
1.1.1
platforms
typescript, web
tags
security, transport-security
author
Mike Fullerton
modified
2026-04-09
references
cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.htmldatatracker.ietf.org/doc/html/rfc8446hstspreload.orgwiki.mozilla.org/Security/Server_Side_TLS

Change History

Version Date Author Summary
1.1.1 2026-04-09 Mike Fullerton Add trigger tags
1.1.0 2026-04-09 Mike Fullerton Tailor for shipping use case — focus on pre-deploy verification checklist
1.0.1 2026-04-09 Mike Fullerton Reorganize into use-case directory
1.0.0 2026-03-27 Mike Fullerton Initial creation