Downgrade Attacks

To mitigate downgrade attacks, your web server should be configured to accept a minimally strong version of TLS. This will prevent attackers inserting themselves in the TLS handshake, deliberately downgrading the TLS version, and intercepting traffic.

nginx.conf

   server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /path/to/your/certificate.crt;
    ssl_certificate_key /path/to/your/private.key;

    # Specify minimal TLS version and preferred cipher suites.
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384';
} 