SSL

If you intend to expose Hydra to the internet I strongly recommend putting it behind an SSL reverse proxy, ideally basic auth protected. That gives you the maximum security.

If you can't or don't want to do that you can enable SSL in Hydra. For that you need a certificate which you can either create yourself or get from an issuer. Let's encrypt issues secure, widely accepted certificates for free and without hassle. The only downside is that you need to refresh the certificate at least every 90 days, ideally less. There are loads of tools which aim to make this as easy as possible. I have good experiences with lego.

When you have a certificate and key file you need to convert them to a format that can be read by Hydra: PKCS12.

For that you need OpenSSL and execute the following command: openssl pkcs12 -export -in <certfile> -inkey <keyfile> -out keystore.p12 -name hydra -password pass:<apassword>

After the p12 file has been created enter its full path ("keystore.p12" in the example) and the password you entered ("apassword" in the example) in Hydra's config and restart.

Note: Unfortunately after every renewal of the certificate it must be exported again and Hydra must be restarted for it to use the new certificate. The export can be automated simply and if you're running Hydra as a service you just need to restart it.