# An Ideal HTTPS setup for Apache and Nginx

Now more than ever, it’s imperative that we know when we’re using the Internet securely. With an ever-increasing amount of business being conducted online, even a small issue with the way a web server is configured could result in untold financial and reputational damage for a company, or a breach of someone’s most private information.

It’s no surprise, then, that usage of SSL/TLS (via HTTPS connections) has exploded in recent years. In fact, Google Chrome users have more than doubled their use of HTTPS in the last 2 years, with 27% of all page loads being conducted over HTTPS in 2013 up to 58% in 2014.

However, HTTPS connections are only as good as the technology they’re based on. IT professionals are doing what they can to keep up with the ever-changing security landscape, but with vulnerabilities such as CRIME, BREACH, Lucky 13, BEAST, Heartbleed and POODLE coming to light with alarming regularity, administrators can just about finish patching their fleets of servers before the next issue is identified.

In fact, although many people running servers want to protect themselves, they don’t necessarily have the in-depth knowledge of the underlying security of their systems to make putting in the effort to investigate worthwhile. And since packages like Apache and Nginx let administrators do just about anything (and by default don’t expose the options which would make their users’ servers more secure), many websites out there are putting both their security and their visitors’ security at risk.

Here are two things that server administrators can do today to secure themselves.

2. Secure the setup.

This part is easier than you might think. While SSL/TLS certificates tend to be in the region of $100 to$200 per year (and EV certificates can be up to \$1,000), StartSSL offer a free certificate for basic use. It’s what this site uses, and I’ve never had any trouble with browser or server compatibility.