SaaSFort TLS misconfigurations are the single most common reason SaaS applications score below Grade B on security assessments. Not because TLS is hard — because defaults are wrong and nobody revisits them after initial setup.
SaaSFort’s 60-check scan tests 8 TLS/SSL-specific controls. Here are the 5 fixes that move most SaaS applications from Grade C to Grade A, ranked by impact on your score.
Fix 1: Disable TLS 1.0 and 1.1
Impact on grade: +5 to +10 points
TLS 1.0 (1999) and TLS 1.1 (2006) are deprecated by RFC 8996 since March 2021. Every major browser has disabled them. Yet 12% of web servers still accept TLS 1.0 connections — and automated scanners flag this as a critical finding.
What to configure:
| Platform | Configuration |
|---|---|
| Nginx | ssl_protocols TLSv1.2 TLSv1.3; |
| Apache | SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 |
| AWS ALB/CloudFront | Security policy TLSv1.2_2021 or newer |
| Cloudflare | Settings → SSL/TLS → Minimum TLS Version → 1.2 |
| HAProxy | ssl-default-bind-options ssl-min-ver TLSv1.2 |
TLS 1.2 is the minimum you should accept. TLS 1.3 is preferred — it’s faster (1-RTT handshake vs 2-RTT), removes insecure cipher suites entirely, and provides forward secrecy by default.
NIS2 mapping: Article 21(2)(h) requires “policies and procedures regarding the use of cryptography and, where appropriate, encryption.” Accepting deprecated protocols directly violates this requirement. BSI auditors treat TLS 1.0/1.1 as automatic non-compliance.
Fix 2: Configure Strong Cipher Suites
Impact on grade: +3 to +8 points
Even with TLS 1.2 enabled, weak cipher suites can downgrade your security. The goal: allow only ciphers that provide forward secrecy (ECDHE or DHE key exchange) and authenticated encryption (AES-GCM or ChaCha20-Poly1305).
Recommended Nginx configuration:
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers on;
Ciphers to remove immediately:
- Anything with
RC4,3DES,DES, orNULL - CBC-mode ciphers (vulnerable to BEAST and Lucky13)
- Non-ECDHE key exchanges (no forward secrecy)
- Export-grade ciphers (40-bit or 56-bit keys)
TLS 1.3 simplifies this entirely — it only supports 5 cipher suites, all secure. Another reason to prefer 1.3 where possible.
Fix 3: Complete Your Certificate Chain
Impact on grade: +3 to +5 points
A valid certificate isn’t enough. The server must send the complete chain: leaf certificate + intermediate certificates. If an intermediate is missing, some clients (especially mobile and older browsers) fail to validate the connection — even though your certificate is technically valid.
How to check:
openssl s_client -connect yourdomain.com:443 -showcerts
Look for Verify return code: 0 (ok). If you see unable to get local issuer certificate, your chain is incomplete.
Common mistakes:
- Uploading only the leaf certificate to your CDN (missing the intermediate)
- Not updating intermediates when your CA changes their chain (Let’s Encrypt did this in 2024)
- Using self-signed certificates on staging subdomains that are publicly accessible
For NIS2 compliance, certificate chain integrity falls under Article 21(2)(h) cryptography requirements. SaaSFort’s scanner checks both chain completeness and certificate validity as part of its 60-check suite.
Fix 4: Enable HSTS with Preload
Impact on grade: +2 to +5 points
HSTS (HTTP Strict Transport Security) tells browsers to always use HTTPS — no exceptions, no fallback to HTTP. Without it, a user’s first request to your domain might go over plain HTTP, exposing them to downgrade attacks.
The full HSTS header:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Three requirements for preload:
- Serve a valid HSTS header on the base domain
- Include
includeSubDomains(covers api., staging., www.) - Submit to hstspreload.org for browser preload list inclusion
Once preloaded, browsers will never connect to your domain over HTTP — even on first visit. This eliminates an entire class of man-in-the-middle attacks. The preload list ships with Chrome, Firefox, Safari, and Edge.
Warning: Preloading is difficult to undo. Make sure ALL subdomains work over HTTPS before enabling includeSubDomains. A forgotten staging server on HTTP will break when preloaded.
Fix 5: Enable OCSP Stapling
Impact on grade: +1 to +3 points
OCSP (Online Certificate Status Protocol) lets clients check if your certificate has been revoked. Without stapling, the client contacts the CA directly — adding latency and a privacy leak (the CA sees which sites users visit).
OCSP stapling lets your server fetch the OCSP response and “staple” it to the TLS handshake — faster and more private.
Nginx:
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
Apache:
SSLUseStapling on
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
Not all hosting platforms support OCSP stapling configuration — managed platforms like Vercel and Netlify handle this automatically. If you’re behind Cloudflare, OCSP stapling is enabled by default.
Quick Audit: Check Your TLS in 60 Seconds
Three approaches, from easiest to deepest:
-
SaaSFort scan — Run a free scan to check all 8 TLS/SSL controls plus 52 additional security checks. Each finding is mapped to NIS2 Article 21(2) controls. Export results as a NIS2 compliance PDF.
-
SSL Labs — ssllabs.com/ssltest provides deep TLS analysis with an A-F grade. Excellent for one-off checks, but doesn’t cover non-TLS security controls and has no compliance mapping.
-
testssl.sh — Open-source command-line tool for comprehensive TLS testing. Best for CI/CD integration alongside SaaSFort’s CI/CD webhooks.
For continuous monitoring — catching certificate expirations, cipher changes, and protocol regressions before they affect your grade — automate with SaaSFort’s API. A scan on every deployment ensures no TLS regression reaches production.
TLS Configuration and Vendor Security Assessments
Enterprise procurement teams include TLS in their initial screening. Here’s what they check and what scores they expect:
| Check | Expected Result | Failure Impact |
|---|---|---|
| Minimum protocol | TLS 1.2+ | Automatic disqualification |
| Forward secrecy | All key exchanges use ECDHE | High-severity finding |
| Certificate chain | Complete, valid, not expired | Critical finding |
| HSTS | Present with max-age 31536000+ | Medium finding |
| Cipher strength | 128-bit+ AES-GCM or ChaCha20 | High-severity finding |
| OCSP stapling | Enabled | Low finding |
| Certificate transparency | CT logs published | Low finding |
For German buyers evaluating NIS2 compliance, TLS configuration maps directly to §30 Abs. 2 Nr. 8 BSIG (cryptography). The BSI Grundschutz++ framework includes specific practices for cryptographic controls that reference these exact requirements.
FAQ
Is TLS 1.2 still secure in 2026?
Yes. TLS 1.2 with strong cipher suites (ECDHE + AES-GCM) is still considered secure. TLS 1.3 is preferred for performance (faster handshakes) and simplicity (no weak cipher options), but TLS 1.2 is not deprecated. The key issue is disabling 1.0 and 1.1, not whether you support 1.3.
My hosting provider manages TLS. Do I still need to check?
Yes. Managed platforms set defaults, but those defaults vary. Vercel and Cloudflare default to strong configurations. Some VPS providers and older hosting platforms still allow TLS 1.0. Run a free scan to see exactly what your live configuration accepts — it takes 60 seconds and might surprise you.
How does TLS affect my SaaSFort security grade?
TLS checks carry high weight in the grade formula. A misconfigured TLS setup (deprecated protocols, weak ciphers, incomplete chain) can drop your grade by 10-15 points. Fixing all 5 issues in this guide typically moves a Grade C to Grade A. The grade formula weighs critical findings at 10 points, high at 7 — and TLS issues often score as critical or high.
Does a TLS A grade satisfy NIS2 requirements?
TLS configuration covers one piece of NIS2 Article 21(2)(h) — cryptography. Full NIS2 compliance requires 9 additional measures (risk analysis, incident handling, business continuity, supply chain, etc.). Use the NIS2 10-step checklist for the complete picture, or our SaaS-specific NIS2 guide for API and multi-tenant isolation requirements. TLS is step 2 — the external baseline scan.
What about certificate transparency (CT logs)?
CT logs provide a public, append-only record of every certificate issued for your domain. They help detect misissued certificates — if a CA issues a certificate for your domain without your knowledge, CT logs expose it. SaaSFort checks CT log presence and certificate issuance history as part of its scan. Most modern CAs (Let’s Encrypt, DigiCert, Sectigo) automatically submit to CT logs.
Check your TLS configuration now. Free scan — tests protocol versions, cipher suites, certificate chain, HSTS, and OCSP in under 60 seconds. Export results as a NIS2 compliance PDF for your audit file. For the complete framework, download our free SaaS Security Playbook 2026.
Passez de la lecture à l'action
Scannez votre domaine gratuitement. Premiers résultats en moins de 10 secondes — sans inscription.