We’ve rolled out a couple of improvements to our cloud load balancer service this week. They’re only little tweaks but they help you tighten up your security.
First of all, we’ve tuned the TLS ciphersuite for better default security, whilst still maintaining backwards compatibility. In particular, we’re now prioritizing algorithms that provide perfect forward security, which means better security for your users if your keys are ever compromised. We’re following Mozilla’s own recommended ciphersuite specification and they provide detailed information about the selection.
With this new configuration, our load balancers get an “A” rating from SSLlabs. You can get yourself an “A+” rating if you wish by forcing full SSL for your site with a Strict Transport Security policy, which you can set yourself by returning the appropriate headers.
Secondly, we’re now adding the X-Forwarded-Proto: https
header to https requests which allows your backend servers to distinguish them from http requests. If you need to be sure that a request came in over https, then check the content of that header (we explicitly unset it for http requests so you can’t be tricked). For example, Ruby on Rails’ request.ssl?
method supports this and you can enforce your policy using force_ssl
.
To take advantage of these new tweaks, you just need to create a new load balancer and move the cloud IP from your old one.
That’s it for now but more load balancer improvements are in the pipeline. If you’ve got comments or suggestions then we welcome your input, so get in touch with your requirements.
If you’re not already a customer, you can sign up in about 2 minutes and receive an automatic free £50 credit.