ssl-config.fyi
Generate and grade a secure SSL/TLS configuration. Pick a compatibility profile, tune protocols, ciphers, and hardening, and watch a live A+–F security grade — then copy the ready-to-paste config for nginx, Apache, Caddy, HAProxy, lighttpd, or Go. Already have a config? Paste it in to grade and harden it.
Compatibility profile
Oldest clients supported:Firefox 27, Chrome 31, IE 11 (Win 7), Edge, Safari 9, Android 4.4, Java 8u31, OpenSSL 1.0.1 (≈ 2014+)
Protocols
Environment optional
HTTP Strict Transport Security
Hardening & performance
Advanced
Strong configuration with minor room to improve.
Score 100 / 100 · Intermediate profile
Paste your server's TLS configuration
Paste a config above to grade it. Parsing happens entirely in your browser.
Score 0 / 100 ·
Verify your deployment
After deploying, confirm what the server actually negotiates. Replace example.com with your host.
Inspect the handshake
openssl s_client -connect example.com:443 \
-servername example.com </dev/null 2>/dev/null \
| openssl x509 -noout -dates -issuerEnumerate protocols & ciphers
nmap --script ssl-enum-ciphers -p 443 example.com
# or, more thorough:
testssl.sh https://example.comCheck HSTS & stapling
curl -sI https://example.com | grep -i strict-transport-security
openssl s_client -connect example.com:443 -status \
</dev/null 2>/dev/null | grep -A2 'OCSP Response'Generate strong DH params
# needed only for the DHE ciphers in Intermediate/Old
curl https://ssl-config.mozilla.org/ffdhe2048.txt \
-o /etc/nginx/dhparamNew to any of this? The reference explains every option — certificates & key types, cipher suites, and HSTS.
Configuration values follow the Mozilla Server Side TLS guidelines. The grade scores the configuration you build or paste (protocols, ciphers, HSTS, OCSP stapling, session handling) — it does not connect to or scan any live site. Always test a new config in staging before deploying.