server-configs-nginx/h5bp/security/strict-transport-security.conf

39 lines
2.0 KiB
Nginx Configuration File

# ----------------------------------------------------------------------
# | HTTP Strict Transport Security (HSTS) |
# ----------------------------------------------------------------------
# Force client-side TLS (Transport Layer Security) redirection.
#
# If a user types `example.com` in their browser, even if the server redirects
# them to the secure version of the website, that still leaves a window of
# opportunity (the initial HTTP connection) for an attacker to downgrade or
# redirect the request.
#
# The following header ensures that a browser only connects to your server
# via HTTPS, regardless of what the users type in the browser's address bar.
#
# (!) Be aware that Strict Transport Security is not revokable and you
# must ensure being able to serve the site over HTTPS for the duration
# you've specified in the `max-age` directive. When you don't have a
# valid TLS connection anymore (e.g. due to an expired TLS certificate)
# your visitors will see a nasty error message even when attempting to
# connect over HTTP.
#
# (1) Preloading Strict Transport Security.
# To submit your site for HSTS preloading, it is required that:
# * the `includeSubDomains` directive is specified
# * the `preload` directive is specified
# * the `max-age` is specified with a value of at least 31536000 seconds
# (1 year).
# https://hstspreload.org/#deployment-recommendations
#
# https://tools.ietf.org/html/rfc6797#section-6.1
# https://owasp.org/www-project-secure-headers/#http-strict-transport-security
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# https://www.html5rocks.com/en/tutorials/security/transport-layer-security/
# https://hstspreload.org/
add_header Strict-Transport-Security "max-age=16070400; includeSubDomains" always;
# (1) Enable your site for HSTS preload inclusion.
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;