Opened 4 years ago

Last modified 22 months ago

#289 accepted enhancement

Add support for HTTP Strict Transport Security (HSTS / RFC 6797)

Reported by: petermap.myopenid.com Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.3.x
Keywords: HSTS, SSL, RFC 6797, header Cc:
Sensitive: no
uname -a:
nginx -V: nginx/1.1.19

Description

It would be great if support for HSTS (RFC 6797) would be added to the nginx-core.

Currently HSTS is "enabled" like this
(according to https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security):

add_header Strict-Transport-Security max-age=31536000;

However this has at least two downsides:

  1. The header is only added when the HTTP status code is 200, 204, 301, 302 or 304.
    • It would be great if the header would always be added
  2. The header is added on HTTPS and HTTP responses, but according to RFC 6797 (7.2.) it should not:
    • An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.

RFC 6797: https://tools.ietf.org/html/rfc6797

Change History (6)

comment:1 Changed 3 years ago by mdounin

  • Priority changed from major to minor
  • Status changed from new to accepted

It may worth adding some simpler directive for this, like we do for expires. Not sure though.

Note well that it's matter of a correct configuration to add the header only to https responses.

comment:2 follow-up: Changed 3 years ago by gunnlaugur@…

In a single HTTP/HTTPS server block, the only way to do that correct configuration is to use an if block — right?

comment:3 in reply to: ↑ 2 Changed 3 years ago by vbart

Replying to Gunnlaugur Þór Briem <gunnlaugur@gmail.com>:

In a single HTTP/HTTPS server block, the only way to do that correct configuration is to use an if block — right?

No. The right way is to use the map directive.

map $scheme $hsts_header {
    https   max-age=31536000;
}

server {
    listen  80;
    listen  443 ssl;

    add_header Strict-Transport-Security $hsts_header;
}
Last edited 3 years ago by vbart (previous) (diff)

comment:4 Changed 3 years ago by gunnlaugur@…

Thanks!

comment:5 Changed 2 years ago by jakegaisser@…

While reading up on Nginx and the "add_header Strict-Transport-Security" I seen someplace that by using a later version of nginx >= 1.7.5 its possible to add the header to a single server block and the map directive is not needed?

add_header Strict-Transport-Security max-age=31536000 always;
Last edited 2 years ago by jakegaisser@… (previous) (diff)

comment:6 Changed 22 months ago by dubbelboer.com/erik

I have created a module just for this: https://github.com/atomx/nginx-http-hsts

Note: See TracTickets for help on using tickets.