2018-11-23 17:14:15 +01:00
|
|
|
# ----------------------------------------------------------------------
|
|
|
|
|
# | HTTP Strict Transport Security (HSTS) |
|
|
|
|
|
# ----------------------------------------------------------------------
|
|
|
|
|
|
2020-01-03 19:34:40 +01:00
|
|
|
# Force client-side TLS (Transport Layer Security) redirection.
|
2018-11-23 17:14:15 +01:00
|
|
|
#
|
2019-05-15 18:38:05 +02:00
|
|
|
# If a user types `example.com` in their browser, even if the server redirects
|
|
|
|
|
# them to the secure version of the website, that still leaves a window of
|
|
|
|
|
# opportunity (the initial HTTP connection) for an attacker to downgrade or
|
|
|
|
|
# redirect the request.
|
2018-11-23 17:14:15 +01:00
|
|
|
#
|
2020-04-14 11:53:56 +02:00
|
|
|
# The following header ensures that a browser only connects to your server
|
2019-05-15 18:38:05 +02:00
|
|
|
# via HTTPS, regardless of what the users type in the browser's address bar.
|
2018-11-23 17:14:15 +01:00
|
|
|
#
|
2020-01-03 19:34:40 +01:00
|
|
|
# (!) Be aware that Strict Transport Security is not revokable and you
|
|
|
|
|
# must ensure being able to serve the site over HTTPS for the duration
|
|
|
|
|
# you've specified in the `max-age` directive. When you don't have a
|
2020-04-14 11:53:56 +02:00
|
|
|
# valid TLS connection anymore (e.g. due to an expired TLS certificate)
|
2020-01-03 19:34:40 +01:00
|
|
|
# your visitors will see a nasty error message even when attempting to
|
|
|
|
|
# connect over HTTP.
|
|
|
|
|
#
|
|
|
|
|
# (1) Preloading Strict Transport Security.
|
|
|
|
|
# To submit your site for HSTS preloading, it is required that:
|
|
|
|
|
# * the `includeSubDomains` directive is specified
|
|
|
|
|
# * the `preload` directive is specified
|
|
|
|
|
# * the `max-age` is specified with a value of at least 31536000 seconds
|
|
|
|
|
# (1 year).
|
|
|
|
|
# https://hstspreload.org/#deployment-recommendations
|
2018-11-23 17:14:15 +01:00
|
|
|
#
|
|
|
|
|
# https://tools.ietf.org/html/rfc6797#section-6.1
|
2021-06-14 12:38:26 +02:00
|
|
|
# https://owasp.org/www-project-secure-headers/#http-strict-transport-security
|
2020-01-03 19:34:40 +01:00
|
|
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
|
2018-11-23 17:14:15 +01:00
|
|
|
# https://www.html5rocks.com/en/tutorials/security/transport-layer-security/
|
2020-01-03 19:34:40 +01:00
|
|
|
# https://hstspreload.org/
|
2018-11-23 17:14:15 +01:00
|
|
|
|
|
|
|
|
add_header Strict-Transport-Security "max-age=16070400; includeSubDomains" always;
|
2020-01-03 19:34:40 +01:00
|
|
|
# (1) Enable your site for HSTS preload inclusion.
|
2018-11-23 17:14:15 +01:00
|
|
|
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
