Opened 12 years ago

Last modified 4 years ago

#289 accepted enhancement

Add support for HTTP Strict Transport Security (HSTS / RFC 6797)

Reported by: petermap.myopenid.com Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.3.x
Keywords: HSTS, SSL, RFC 6797, header Cc:
uname -a:
nginx -V: nginx/1.1.19

Description

It would be great if support for HSTS (RFC 6797) would be added to the nginx-core.

Currently HSTS is "enabled" like this
(according to https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security):

add_header Strict-Transport-Security max-age=31536000;

However this has at least two downsides:

  1. The header is only added when the HTTP status code is 200, 204, 301, 302 or 304.
    • It would be great if the header would always be added
  2. The header is added on HTTPS and HTTP responses, but according to RFC 6797 (7.2.) it should not:
    • An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.

RFC 6797: https://tools.ietf.org/html/rfc6797

Change History (6)

comment:1 by Maxim Dounin, 10 years ago

Priority: majorminor
Status: newaccepted

It may worth adding some simpler directive for this, like we do for expires. Not sure though.

Note well that it's matter of a correct configuration to add the header only to https responses.

comment:2 by Gunnlaugur Þór Briem, 10 years ago

In a single HTTP/HTTPS server block, the only way to do that correct configuration is to use an if block — right?

in reply to:  2 comment:3 by Valentin V. Bartenev, 10 years ago

Replying to Gunnlaugur Þór Briem <gunnlaugur@gmail.com>:

In a single HTTP/HTTPS server block, the only way to do that correct configuration is to use an if block — right?

No. The right way is to use the map directive.

map $scheme $hsts_header {
    https   max-age=31536000;
}

server {
    listen  80;
    listen  443 ssl;

    add_header Strict-Transport-Security $hsts_header;
}
Last edited 10 years ago by Valentin V. Bartenev (previous) (diff)

comment:4 by Gunnlaugur Þór Briem, 10 years ago

Thanks!

comment:5 by gintaro, 10 years ago

While reading up on Nginx and the "add_header Strict-Transport-Security" I seen someplace that by using a later version of nginx >= 1.7.5 its possible to add the header to a single server block and the map directive is not needed?

add_header Strict-Transport-Security max-age=31536000 always;
Last edited 10 years ago by gintaro (previous) (diff)

comment:6 by dubbelboer.com/erik, 10 years ago

I have created a module just for this: https://github.com/atomx/nginx-http-hsts

Note: See TracTickets for help on using tickets.