server-configs-nginx/h5bp/security/strict-transport-security.conf

# ----------------------------------------------------------------------
# | HTTP Strict Transport Security (HSTS)                              |
# ----------------------------------------------------------------------

# Force client-side SSL redirection.
#
# If a user types `example.com` in their browser, even if the server redirects
# them to the secure version of the website, that still leaves a window of
# opportunity (the initial HTTP connection) for an attacker to downgrade or
# redirect the request.
#
# The following header ensures that browser will ONLY connect to your server
# via HTTPS, regardless of what the users type in the browser's address bar.
#
# (!) Be aware that this, once published, is not revokable and you must ensure
#     being able to serve the site via SSL for the duration you've specified
#     in max-age. When you don't have a valid SSL connection (anymore) your
#     visitors will see a nasty error message even when attempting to connect
#     via simple HTTP.
#
# (!) Remove the `includeSubDomains` optional directive if the website's
#     subdomains are not using HTTPS.
#
# (1) If you want to submit your site for HSTS preload (2) you must
#     * ensure the `includeSubDomains` directive to be present
#     * the `preload` directive to be specified
#     * the `max-age` to be at least 31536000 seconds (1 year) according to the
#       current status.
#
#     It is also advised (3) to only serve the HSTS header via a secure
#     connection.
#
# (2) https://hstspreload.org/
# (3) https://tools.ietf.org/html/rfc6797#section-7.2
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# https://tools.ietf.org/html/rfc6797#section-6.1
# https://www.html5rocks.com/en/tutorials/security/transport-layer-security/
# https://blogs.msdn.microsoft.com/ieinternals/2014/08/18/strict-transport-security/

add_header Strict-Transport-Security "max-age=16070400; includeSubDomains" always;
# (1) or if HSTS preloading is desired (respect (2) for current requirements):
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
Split directives to enforce atomic structure * Enforce H5BP style * Improve inline documentation to simplify maintenance * Prepare v3 2018-11-23 17:14:15 +01:00			`# ----------------------------------------------------------------------`
			`# \| HTTP Strict Transport Security (HSTS) \|`
			`# ----------------------------------------------------------------------`

			`# Force client-side SSL redirection.`
			`#`
Documentation formatting and reviewing (#232) No code changes, some config reordering 2019-05-15 18:38:05 +02:00			# If a user types `example.com` in their browser, even if the server redirects
			`# them to the secure version of the website, that still leaves a window of`
			`# opportunity (the initial HTTP connection) for an attacker to downgrade or`
			`# redirect the request.`
Split directives to enforce atomic structure * Enforce H5BP style * Improve inline documentation to simplify maintenance * Prepare v3 2018-11-23 17:14:15 +01:00			`#`
Documentation formatting and reviewing (#232) No code changes, some config reordering 2019-05-15 18:38:05 +02:00			`# The following header ensures that browser will ONLY connect to your server`
			`# via HTTPS, regardless of what the users type in the browser's address bar.`
Split directives to enforce atomic structure * Enforce H5BP style * Improve inline documentation to simplify maintenance * Prepare v3 2018-11-23 17:14:15 +01:00			`#`
			`# (!) Be aware that this, once published, is not revokable and you must ensure`
Fix rebase artifacts 2019-05-16 00:16:13 +02:00			`# being able to serve the site via SSL for the duration you've specified`
			`# in max-age. When you don't have a valid SSL connection (anymore) your`
			`# visitors will see a nasty error message even when attempting to connect`
			`# via simple HTTP.`
Split directives to enforce atomic structure * Enforce H5BP style * Improve inline documentation to simplify maintenance * Prepare v3 2018-11-23 17:14:15 +01:00			`#`
			# (!) Remove the `includeSubDomains` optional directive if the website's
Fix rebase artifacts 2019-05-16 00:16:13 +02:00			`# subdomains are not using HTTPS.`
Split directives to enforce atomic structure * Enforce H5BP style * Improve inline documentation to simplify maintenance * Prepare v3 2018-11-23 17:14:15 +01:00			`#`
			`# (1) If you want to submit your site for HSTS preload (2) you must`
			# * ensure the `includeSubDomains` directive to be present
			# * the `preload` directive to be specified
Documentation formatting and reviewing (#232) No code changes, some config reordering 2019-05-15 18:38:05 +02:00			# * the `max-age` to be at least 31536000 seconds (1 year) according to the
			`# current status.`
Split directives to enforce atomic structure * Enforce H5BP style * Improve inline documentation to simplify maintenance * Prepare v3 2018-11-23 17:14:15 +01:00			`#`
Documentation formatting and reviewing (#232) No code changes, some config reordering 2019-05-15 18:38:05 +02:00			`# It is also advised (3) to only serve the HSTS header via a secure`
			`# connection.`
Split directives to enforce atomic structure * Enforce H5BP style * Improve inline documentation to simplify maintenance * Prepare v3 2018-11-23 17:14:15 +01:00			`#`
			`# (2) https://hstspreload.org/`
			`# (3) https://tools.ietf.org/html/rfc6797#section-7.2`
			`#`
			`# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security`
			`# https://tools.ietf.org/html/rfc6797#section-6.1`
			`# https://www.html5rocks.com/en/tutorials/security/transport-layer-security/`
			`# https://blogs.msdn.microsoft.com/ieinternals/2014/08/18/strict-transport-security/`

			`add_header Strict-Transport-Security "max-age=16070400; includeSubDomains" always;`
			`# (1) or if HSTS preloading is desired (respect (2) for current requirements):`
			`# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;`