# ----------------------------------------------------------------------
# | HTTP Strict Transport Security (HSTS)                              |
# ----------------------------------------------------------------------

# Force client-side TLS (Transport Layer Security) redirection.
#
# If a user types `example.com` in their browser, even if the server redirects
# them to the secure version of the website, that still leaves a window of
# opportunity (the initial HTTP connection) for an attacker to downgrade or
# redirect the request.
#
# The following header ensures that a browser only connects to your server
# via HTTPS, regardless of what the users type in the browser's address bar.
#
# (!) Be aware that Strict Transport Security is not revokable and you
#     must ensure being able to serve the site over HTTPS for the duration
#     you've specified in the `max-age` directive. When you don't have a
#     valid TLS connection anymore (e.g. due to an expired TLS certificate)
#     your visitors will see a nasty error message even when attempting to
#     connect over HTTP.
#
# (1) Preloading Strict Transport Security.
#     To submit your site for HSTS preloading, it is required that:
#     * the `includeSubDomains` directive is specified
#     * the `preload` directive is specified
#     * the `max-age` is specified with a value of at least 31536000 seconds
#       (1 year).
#     https://hstspreload.org/#deployment-recommendations
#
# https://tools.ietf.org/html/rfc6797#section-6.1
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# https://www.html5rocks.com/en/tutorials/security/transport-layer-security/
# https://blogs.msdn.microsoft.com/ieinternals/2014/08/18/strict-transport-security/
# https://hstspreload.org/

add_header Strict-Transport-Security "max-age=16070400; includeSubDomains" always;
# (1) Enable your site for HSTS preload inclusion.
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;