So, tls libraries, webservers, etc don't come with sane defaults for tls settings. They also don't come with sane defaults for security oriented headers, etc. I assume that's partly why software like caddy is gaining in popularity.
Is that enough? If I put caddy in front of my existing infrastructure am I now secure and doing TLS correctly? That's what I did but I have no idea if some expert wouldn't look and say "no, this is not done correctly, here's all the parts you missed"
Probably not. The default ciphers are reasonable. HSTS isn't on by default, last I checked. But Caddy does generally seem to aspire to do the right thing by default.
There is a Mozilla tool called Observatory that seems pretty comprehensive in checking TLS setup and some other security settings, headers, etc: https://observatory.mozilla.org
Yes, it's enough for most people. Companies have thrown Caddy in front of their infrastructure last minute before losing PCI compliance due to TLS management problems. As others have said, Caddy doesn't do security headers by default (yet?), but its default TLS parameters are very good.
> Our results suggest that the deployment process is far too complex even for people with proficient knowledge in the field
There we go again. You can find it every where. The human tendency to underestimate how much we don't understand , and how much others don't understand. Ahh, and how fast everyone forgot it.
There's some good resources out there, the problem here is that most people simply don't care or don't think it's part of their job to fix these things.
