1.5 Validate and Monitor
Configuring TLS, especially for use on web sites, has become increasingly complex in recent years. There are so many options to choose that you're virtually guaranteed to do something wrong when you first try. Moreover, things change and break—sometimes accidentally, sometimes through software upgrades. Or sometimes certificates simply expire while still in production. For that reason, we recommend that you find a reliable configuration monitoring tool that you can trust. Use it periodically and continuously to ensure that you stay secure.
Modern browsers support a feature called user agent reporting, which can give you real-time insight into problems that your users are experiencing. Content Security Policy is one such technology that supports reporting, and it comes with a no-enforcement option for testing purposes. A more recent technology, called Network Error Logging (NEL), provides reporting for a wider range of network problems, including TLS and PKI. NEL is particularly interesting as it gives you a level of visibility over the performance of the infrastructure you don’t control—for example, CDNs and cloud providers.