• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved How to add nginx header for all https sites (but NOT plain http)?

mr-wolf

Silver Pleskian
Plesk Guru
It seems we shouldn't be adding this in a file in /etc/nginx/conf.d
Code:
add_header Strict-Transport-Security "max-age=15768000; preload" always;

By doing that we're adding it to both http and https and that's something we shouldn't do.
I'm doing this and I can assume many others as this was posted in one of the threads in this forum.

I can of course add the header to each https block of each site, but if there is something like a generic setting, this would be more than welcome.

I noticed this ticket: #289 (Add support for HTTP Strict Transport Security (HSTS / RFC 6797)) – nginx

Anyone knows how to put it in a file for all configurations, but stop it from being used in plain http?

Here is the quote from RFC6797 explicitly (MUST NOT) stating it should NOT be for http
RFC 6797 - HTTP Strict Transport Security (HSTS)
7.2
An HSTS Host MUST NOT include the STS header field in HTTP responses
conveyed over non-secure transport.
 
Last edited:
The answer was in that same link I provided.
I did try the "map solution", but because I was using "always" I couldn't implement it properly without generating a syntax error.
I shouldn't let "always" be part of the variable.

Finally I was able to do it properly and now have this:

cat /etc/nginx/conf.d/aa400_own_tweaks.conf
Code:
map $scheme $hsts_header {
    https   'max-age=15768000; preload';
}

add_header Strict-Transport-Security $hsts_header always;

ssl_session_timeout         10m;
ssl_session_cache shared:SSL:50m;

ssl_dhparam /etc/dhparam/dhparam4096.pem;

add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
 
Last edited:
Back
Top