# ---------------------------------------------------------------------- # | HTTP Strict Transport Security (HSTS) | # ---------------------------------------------------------------------- # Force client-side SSL redirection. # # If a user types `example.com` in their browser, even if the server redirects # them to the secure version of the website, that still leaves a window of # opportunity (the initial HTTP connection) for an attacker to downgrade or # redirect the request. # # The following header ensures that browser will ONLY connect to your server # via HTTPS, regardless of what the users type in the browser's address bar. # # (!) Be aware that this, once published, is not revokable and you must ensure # being able to serve the site via SSL for the duration you've specified # in max-age. When you don't have a valid SSL connection (anymore) your # visitors will see a nasty error message even when attempting to connect # via simple HTTP. # # (!) Remove the `includeSubDomains` optional directive if the website's # subdomains are not using HTTPS. # # (1) If you want to submit your site for HSTS preload (2) you must # * ensure the `includeSubDomains` directive to be present # * the `preload` directive to be specified # * the `max-age` to be at least 31536000 seconds (1 year) according to the # current status. # # It is also advised (3) to only serve the HSTS header via a secure # connection. # # (2) https://hstspreload.org/ # (3) https://tools.ietf.org/html/rfc6797#section-7.2 # # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # https://tools.ietf.org/html/rfc6797#section-6.1 # https://www.html5rocks.com/en/tutorials/security/transport-layer-security/ # https://blogs.msdn.microsoft.com/ieinternals/2014/08/18/strict-transport-security/ add_header Strict-Transport-Security "max-age=16070400; includeSubDomains" always; # (1) or if HSTS preloading is desired (respect (2) for current requirements): # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;