How to Get an SSL Labs A+ Grade: A Practical Guide
Step-by-step guide to achieving an SSL Labs A+ rating. Covers TLS 1.3, cipher suites, HSTS, certificate pinning, and common misconfigurations that drag down your score.
Why SSL Labs grade matters
Qualys SSL Labs is the industry standard for TLS configuration grading. An A+ rating signals that your HTTPS implementation uses modern cryptography, rejects legacy protocols, and includes HSTS preloading. It is referenced by compliance frameworks, used by security teams during supplier due diligence, and checked by enterprise procurement processes.
More importantly, the weaknesses that drag you below A+ — old cipher suites, missing HSTS, weak DH parameters — are exactly what attackers exploit in downgrade and man-in-the-middle attacks.
The grading criteria
SSL Labs grades four categories, each contributing to the overall score:
- Certificate (0–100) — validity, chain completeness, key size, signature algorithm
- Protocol support (0–100) — TLS versions supported vs deprecated
- Key exchange (0–100) — forward secrecy, DH parameter strength
- Cipher strength (0–100) — modern AEAD ciphers vs RC4, 3DES, CBC-mode weaknesses
Even a perfect score across all four can be capped at A if HSTS is missing, or dropped to A+ if HSTS is present and valid.
The most common grade killers
TLS 1.0 and 1.1 still enabled
These protocols were deprecated by the IETF in 2021. Any server still accepting TLS 1.0/1.1 connections will be capped below A. Disable them in your web server or CDN configuration.
For nginx: ssl_protocols TLSv1.2 TLSv1.3;
For Apache: SSLProtocol -all +TLSv1.2 +TLSv1.3
Weak cipher suites
CBC-mode cipher suites (especially with SHA-1) are vulnerable to BEAST and Lucky13 attacks. RC4 is broken. Use only AEAD ciphers:
TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384
No forward secrecy
Forward secrecy means that a future compromise of the server's private key cannot be used to decrypt recorded past sessions. It requires ephemeral key exchange (ECDHE or DHE). Non-ephemeral RSA key exchange provides no forward secrecy.
Missing or short HSTS
HSTS (HTTP Strict Transport Security) tells browsers to only connect over HTTPS, for a specified duration. For an A+ grade:
max-agemust be at least 6 months (15768000 seconds)- Include
includeSubDomains - Include
preloadto qualify for browser preload lists
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Certificate chain issues
A self-signed root, a missing intermediate certificate, or an incomplete chain will cap your grade. Always configure your server to send the full chain (leaf + intermediates). Many CDNs handle this automatically, but self-managed servers often ship just the leaf certificate.
Cloudflare users
If you use Cloudflare, most of the heavy lifting is done for you. Set SSL/TLS mode to Full (Strict), enable TLS 1.3, and enable HSTS in the Edge Certificates section with a 12-month max-age. Enable HSTS preloading last — once submitted to browser preload lists, it takes months to remove.
Check your current TLS grade
VP Shield reports your TLS grade (A+ through F) as part of every passive domain scan. It surfaces the most critical issues without requiring you to send your domain to an external grading service — the scan is read-only and takes under two minutes.