ssl-config.fyi
Hardening

OCSP stapling

Generate a config →

Normally a browser checks whether your certificate has been revoked by contacting the CA's OCSP responder — adding latency and leaking which sites the user visits to the CA. **OCSP stapling** moves that work to the server: it periodically fetches a signed, time-stamped OCSP response and "staples" it to the TLS handshake, so the client gets the revocation proof instantly and privately. Enable it (ssl_stapling on in nginx, SSLUseStapling On in Apache) and point it at your CA chain. It's a clear win with no downside for clients.

← All reference topics