Resolved How to add nginx header for all https sites (but NOT plain http)?

[mr-wolf]

It seems we shouldn't be adding this in a file in /etc/nginx/conf.d

add_header Strict-Transport-Security "max-age=15768000; preload" always;

By doing that we're adding it to both http and https and that's something we shouldn't do.
I'm doing this and I can assume many others as this was posted in one of the threads in this forum.

I can of course add the header to each https block of each site, but if there is something like a generic setting, this would be more than welcome.

I noticed this ticket: #289 (Add support for HTTP Strict Transport Security (HSTS / RFC 6797)) – nginx

Anyone knows how to put it in a file for all configurations, but stop it from being used in plain http?

Here is the quote from RFC6797 explicitly (MUST NOT) stating it should NOT be for http
RFC 6797 - HTTP Strict Transport Security (HSTS)
7.2

An HSTS Host MUST NOT include the STS header field in HTTP responses
conveyed over non-secure transport.

 

[mr-wolf]

The answer was in that same link I provided.
I did try the "map solution", but because I was using "always" I couldn't implement it properly without generating a syntax error.
I shouldn't let "always" be part of the variable.

Finally I was able to do it properly and now have this:

cat /etc/nginx/conf.d/aa400_own_tweaks.conf

map $scheme $hsts_header {
    https   'max-age=15768000; preload';
}

add_header Strict-Transport-Security $hsts_header always;

ssl_session_timeout         10m;
ssl_session_cache shared:SSL:50m;

ssl_dhparam /etc/dhparam/dhparam4096.pem;

add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;