I take pride in making my website perform as well as it possibly could, while staying practical about it.
Key-signing key can't be leaked (stored in a HSM).
Zone-signing keys signed by key-signing key for record signing.
|IP Protocols||IPv6 (anycast)
|Running on||nginx (mainline)|
|Backed by||PHP 7.3|
|Protocol negotiation methods||ALPN, NPN.|
|Compression methods (resources only)||gzip (static and dynamic)
|TLS Required||Yes, full redirect with HSTS-header. Subdomains included.|
|TLS Dynamic Record Sizing||Disabled.
|TLS Ciphers (TLSv1.3)||AES-128-GCM-SHA256 (fastest for desktops)
CHACHA20-POLY1305-SHA256 (fastest for mobile)
|TLS Ciphers (TLSv1.2)||EECDH+AESGCM
|TLS Certificate Provider||Let's Encrypt (Main)
|TLS Certificate CAA-record||Enabled. Secured with DNSSEC.|
|TLS Certificate Types||384-bit Elliptic Curve with SHA256+RSA signature.|
|TLS Certificate TLSA/DANE|
|TLS Certificate OCSP Stapling||Enabled.|
|TLS ECDH Curves||secp384r1