• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Resolved How to add nginx header for all https sites (but NOT plain http)?

mr-wolf

Silver Pleskian
Plesk Guru
It seems we shouldn't be adding this in a file in /etc/nginx/conf.d
Code:
add_header Strict-Transport-Security "max-age=15768000; preload" always;

By doing that we're adding it to both http and https and that's something we shouldn't do.
I'm doing this and I can assume many others as this was posted in one of the threads in this forum.

I can of course add the header to each https block of each site, but if there is something like a generic setting, this would be more than welcome.

I noticed this ticket: #289 (Add support for HTTP Strict Transport Security (HSTS / RFC 6797)) – nginx

Anyone knows how to put it in a file for all configurations, but stop it from being used in plain http?

Here is the quote from RFC6797 explicitly (MUST NOT) stating it should NOT be for http
RFC 6797 - HTTP Strict Transport Security (HSTS)
7.2
An HSTS Host MUST NOT include the STS header field in HTTP responses
conveyed over non-secure transport.
 
Last edited:
The answer was in that same link I provided.
I did try the "map solution", but because I was using "always" I couldn't implement it properly without generating a syntax error.
I shouldn't let "always" be part of the variable.

Finally I was able to do it properly and now have this:

cat /etc/nginx/conf.d/aa400_own_tweaks.conf
Code:
map $scheme $hsts_header {
    https   'max-age=15768000; preload';
}

add_header Strict-Transport-Security $hsts_header always;

ssl_session_timeout         10m;
ssl_session_cache shared:SSL:50m;

ssl_dhparam /etc/dhparam/dhparam4096.pem;

add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
 
Last edited:
Back
Top