TLS Versions and Cipher Suites

Overview

The WAF enforces modern TLS standards to protect your site from cryptographic attacks. All connections are secured with TLS 1.2 or TLS 1.3, a hardened cipher suite configuration, and forced HTTPS — providing strong encryption that meets major compliance requirements.

TLS Version Support

TLS 1.2 and 1.3 Only

Your site only accepts connections on TLS 1.2 and TLS 1.3. Older protocol versions (TLS 1.0, TLS 1.1, SSL 3.0, SSL 2.0) are disabled entirely.

This protects against SSL/TLS downgrade attacks, where an attacker attempts to force a connection onto an older, vulnerable protocol version to exploit known weaknesses.

What This Means for Visitors

The vast majority of modern browsers and devices support TLS 1.2 and 1.3. Visitors using very old browsers (e.g., Internet Explorer on Windows XP) will not be able to connect. This affects a negligible percentage of web traffic and is the industry standard security posture.

Hardened Cipher Suite

The WAF uses a curated set of cipher suites selected for both security and performance. Weak or deprecated ciphers are excluded to prevent attacks that exploit cipher weaknesses.

The cipher suite configuration is managed automatically — you do not need to configure individual ciphers. The WAF selects the strongest mutually supported cipher for each connection.

Forced HTTPS

All HTTP requests to your site are automatically redirected to HTTPS before a connection is established. This ensures that no visitor traffic is ever sent unencrypted.

This is always on and cannot be disabled. For more details, see Forcing HTTPS.

RSA Key Requirement

The WAF requires RSA-based SSL certificates. ECDSA (ECC) keys are not supported. If you are providing your own certificate, ensure it uses an RSA key. For more details, see SSL Key Requirements.

Compliance

The WAF’s TLS configuration helps meet the encryption requirements of several compliance frameworks:

• PCI DSS — Requires TLS 1.2 or higher for payment card data protection. TLS 1.0 and 1.1 are explicitly prohibited.
• GDPR — Requires appropriate technical measures for data protection. TLS 1.2+ with strong ciphers satisfies encryption requirements for data in transit.
• HIPAA — Requires encryption of electronic protected health information (ePHI) in transit. TLS 1.2+ meets this standard.
• CCPA — Requires reasonable security procedures for personal information. Modern TLS encryption is considered a baseline requirement.

The WAF’s default configuration meets these requirements out of the box with no additional setup needed.

Security Headers

In addition to TLS encryption, the WAF can enforce security headers that instruct browsers to apply additional protections:

• X-XSS-Protection — Prevents cross-site scripting attacks
• X-Frame-Options — Prevents clickjacking by blocking iframe loading
• X-Content-Type-Options — Prevents MIME-type content attacks

Security headers can be enabled from your WAF dashboard. See Enabling Security Headers for details.

Need Help?

If you have questions about TLS configuration or compliance requirements:

• Contact us at support@expeditedsecurity.com
• Book a Call at https://app.harmonizely.com/expedited/30-min