You finally got HTTPS running on your web server. Is there anything else you can do? Well, let me tell you about a few (free) things you can do.
Probably the most important work you can do when setting up HTTPS is testing all the changes. While you can use curl and “sweat of your brow”, I prefer using SSL Labs. It covers a bunch of stuff and it gets regularly updated with the latest recommendations. If test finds anything needing an improvement, you will get enough information to fix it.
To be sure your setup is not unnecessarily slow, a speed test does come in handy. If you run the same test toward both your HTTP and HTTPS setup, you should except numbers to be very close. While it will become impossible to test HTTP-only speed once you fully activate HTTPS, you can still benefit from “run A” vs “run B” testing.
There is a lot of small fiddly details with HTTPS and testing will prevent you from going at it blind.
Monitor Certificate Expiration
If you are using Let’s Encrypt it’s a pure necessity to monitor expiration of your certificates. Three month validity might seem long but, once everything starts working, you will forget to check and you have inaccessible web site on your hands. Half an hour needed to setup and testing monitoring is well worth it.
Of course, if you are using commercial certificate provider, you can ignore this as they’ll bug you enough.
Monitor Issued Certificates
As you are already monitoring your certificate expiry, you might also want to monitor who is generating them. If you use Cert Spotter, you’ll get an email every time one of your domains gets a new certificate. For 99% sites, including this, this is pure overkill. But that doesn’t mean you shouldn’t sign up. :)
If you use any decent certificate provider, you can expect them to report all issued certificates to Certificate Transparency project. Armed with this assumption, you can start sending Expect-CT HTTP header. In practice this protects you from man-in-the-middle attacks by certificate authorities already trusted by your computer. Great examples include your company or flight entertainment CA. If they try to fudge your TLS connection, this way you’ll know.
If you have access to your DNS settings, you should think about setting up CAA. How far can you go depends on your DNS provider. Some of them, like CloudFlare, support only a subset of needed functionality. Realistically, even that is sufficient but for the full compliance to rules, raw DNS access is the best. In theory this will protect you against issuance of certificate by a non-trusted CA. Since this is based on gentlemen’s agreement, the actual enforcement is yet to be proven.
Lastly, once you sort everything else, do look into HSTS. It is a bit of work to apply and get certified for entrance into the preload list with multiple consequences. The most obvious one is that your domain will always be loaded in its HTTPS glory instead of the HTTP redirect. However, that pales in comparison to the most important benefit – the bragging rights since your website is explicitly compiled in the every major browser. That and sense of impending doom as any HTTPS mistake will render your website completely inaccessible. I guess this is not for those of weak heart.