Qualys SSL Labs Server Test is the standard tool used by security experts worldwide. The test result is given on a scale from A to T, with A+ being the highest possible rating. This rating indicates that the site's SSL certificate, encryption algorithms, key exchange mechanism, and protection headers are perfectly configured. For banks, government institutions, and large corporate sites, an A+ rating is a mandatory requirement because it increases client trust and simplifies passing security audits.
Main requirements for an A+ rating
The first condition is to enable TLS 1.2 and TLS 1.3 versions while completely disabling older TLS 1.0 and 1.1 versions. The second condition is to use only modern encryption algorithms such as AES-256-GCM and ChaCha20-Poly1305. RC4, 3DES, and MD5 algorithms must be prohibited. The third condition is to use ECDHE or DHE key exchange mechanisms that provide Forward Secrecy. The fourth condition is the complete and correct transmission of the certificate chain, meaning the server must return its certificate along with intermediate certificates.
HSTS header and preload list
The HTTP Strict Transport Security header is the most important condition for achieving an A+ rating. This header tells the browser that the site must be accessed only via HTTPS and provides protection against man-in-the-middle attacks. The max-age value in the header should be at least 63072000 seconds, which equals two years. Additionally, the includeSubDomains and preload parameters should be added. Sites added to the preload list become known in advance to Chrome, Firefox, and Safari browsers, making HTTPS mandatory from the very first visit.
OCSP Stapling and certificate parameters
OCSP Stapling is a technology that speeds up the process of checking certificate validity status and preserves privacy. To enable it, you only need to add a few lines to the web server configuration. The certificate itself must have at least a 2048-bit RSA key or a 256-bit ECDSA key and be signed with SHA-256 or a stronger hash algorithm. When using Wildcard or SAN certificates, you must verify that all subdomains are correctly listed, otherwise it will negatively affect the overall rating.
Sayt.uz practice
All SSL certificates on the Sayt.uz hosting platform are configured by default to achieve an A+ rating. 96 percent of our clients receive A+ on the first attempt, while our specialists help the remaining 4 percent free of charge. The verification service is also free, and each client receives a professional SSL audit three times a month. Consulting starts from 49 thousand soum, but for hosting clients this service is completely free. The premium audit package costs 149 thousand soum and includes a full infrastructure check with a detailed report.