One suggestion for the http-> https redirection:Instead of redirecting http

1. One suggestion for the http-> https redirection:
2.  
3. Instead of redirecting http -> https, serve https only and use hsts headers: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
4.  
5. (more general info about it: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)
6.  
7.  
8. For the back-end portion:
9.  
10. I would add these modification in your "ssl config" equivalent for apache/nginx/haproxy/etc (ex: ssl.conf in apache):
11.  
12. SSLHonorCipherOrder on
13. SSLCipherSuite HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!PSK:!SRP:!KRB5:@STRENGTH
14. SSLProtocol all -SSLv2 -SSLv3
15. SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
16. SSLSessionCacheTimeout 300
17.  
18. ^ This and the hsts will also get you an A+ on ssl labs (https://www.ssllabs.com/ssltest/)
19.  
20.  
21. At last, check out:
22.  
23. * CSP (content secure policy) header
24. * the XFO (x-frame-options) header
25. * the "x-xss" protection header.
26. * the "x-content-type-options" header
27.  
28. All of these mentioned here: https://wiki.mozilla.org/Security/Guidelines/Web_Security
29.  
30. Another great scan: https://observatory.mozilla.org/