Security is the top priority at FreeSSL.tech. We are happy to discuss how we implemented security precaution for our Let's Encrypt client/app and website.
1. As this is a server-side app, it generates everything (Private key, CSR, SSL certificate) on the user's server. There is no question to sees anything by our server. The source code is open so you can audit the source code.
2. The private key, CSR, SSL certificates stored above the publicly available directory of your hosting ('public_html').
3. The sensitive credentials (password, API secret) are stored using OpenSSL encryption.
4. During installation of the app, if the user doesn't have an SSL certificate installed on the current domain (from which he/she is accessing the app), the app displays an option to issue a free SSL certificate quickly for the current domain with a single click. The user can use this quick option before installing the app. This option ensures that the user doesn't need to enter passwords over an unencrypted connection from the very beginning. This option also tries to store the private key, CSR, SSL certificates above the 'public_html' directory. However, if the user's server does not define $_SERVER['HOME'], it stores everything with 700 file permission, which means no one other than the authorized user can access the private key, CSR, SSL certificates.
5. All the forms are protected with CSRF token.
6. We disabled directory browsing using the following code in the .htaccess file:
We have followed the security best practices to make this website secured:
1. We have implemented HTTP Strict Transport Security (HSTS) header. https://freessl.tech is included in the HSTS preload list: https://hstspreload.org/?domain=freessl.tech
2. We have implemented other security headers: Content-Security-Policy, X-XSS-Protection, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Feature-Policy.
5. Grade A+, Score: 100/100 at https://observatory.mozilla.org/analyze/freessl.tech
6. Score A+ at https://tls.imirhil.fr/https/freessl.tech
7. Grade A+ at https://www.htbridge.com/ssl/?id=0t8WdfgX