SSLLabs checker shows that Forward Secrecy is not supported


2016-12-12 03:42:31 UTC


2017-08-08 13:41:49 UTC


Was this article helpful?

Have more questions?

Submit a request

SSLLabs checker shows that Forward Secrecy is not supported

Applicable to:

  • Plesk 12.5 for Linux


SSLLabs checker evaluates domains with A- or A score instead of A+ , Forward Secrecy is not supported. How to improve it?


Modify /etc/nginx/conf.d/ssl.conf configuration as follows:

# cat /etc/nginx/conf.d/ssl.conf
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

Here, add_header directive defines how much time browsers should keep security data for a site. max-age=31536000 equals to 1 year. includeSubDomains applies these settings to all subdomains, but in this case, make sure that all subdomains have trusted certificates. If not, remove includeSubDomains so that add_header directive is as follows:

add_header Strict-Transport-Security "max-age=31536000;";
Have more questions? Submit a request


  • 0
    Jorge Batres

    Hi, I have followed these exact instructions but SSLLabs does not show Strict Transport Security (HSTS) for my domain which already has an "A".

    I use Onyx Version 17.0.17 Update #14 in a linux RHEL 6.8.

    Any ideas?

  • 0
    Vitaly Zhidkov

    @Jorge, I see that you have configured everything correctly:

    # curl -s -D- | grep Strict
    Strict-Transport-Security: max-age=31536000;

    SSLLabs test returns the A+ score and shows the same - HSTS is configured properly.

  • 0
    Jorge Batres

    Thank you Vitaly, everything works great now!

Please sign in to leave a comment.