associated data (AEAD) mode of opera,on ciphers (ChaCha20/Poly1305, AES-GCM…) • If possible, explicitly declare server cipher suites (vs. wildcards): – Key exchange (e.g. Ephemeral Ellip@c Curve Diffie Hellman) – Cer,ficate type (e.g., ECDSA or RSA) – Symmetric cipher (e.g., ChaCha20, AES 128) – Mode of opera,on (if block cipher, e.g. GCM) – Message authen,cator construc,on or PRF (e.g., SHA256)