Add support for HTTP Strict Transport Security (HSTS / RFC 6797)
|Reported by:||petermap.myopenid.com||Owned by:|
|Keywords:||HSTS, SSL, RFC 6797, header||Cc:|
It would be great if support for HSTS (RFC 6797) would be added to the nginx-core.
Currently HSTS is "enabled" like this
(according to https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security):
add_header Strict-Transport-Security max-age=31536000;
However this has at least two downsides:
- The header is only added when the HTTP status code is 200, 204, 301, 302 or 304.
- It would be great if the header would always be added
- The header is added on HTTPS and HTTP responses, but according to RFC 6797 (7.2.) it should not:
- An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.
RFC 6797: https://tools.ietf.org/html/rfc6797