Opened 12 years ago
Last modified 4 years ago
#289 accepted enhancement
Add support for HTTP Strict Transport Security (HSTS / RFC 6797)
Reported by: | petermap.myopenid.com | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-core | Version: | 1.3.x |
Keywords: | HSTS, SSL, RFC 6797, header | Cc: | |
uname -a: | |||
nginx -V: | nginx/1.1.19 |
Description
It would be great if support for HSTS (RFC 6797) would be added to the nginx-core.
Currently HSTS is "enabled" like this
(according to https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security):
add_header Strict-Transport-Security max-age=31536000;
However this has at least two downsides:
- The header is only added when the HTTP status code is 200, 204, 301, 302 or 304.
- It would be great if the header would always be added
- The header is added on HTTPS and HTTP responses, but according to RFC 6797 (7.2.) it should not:
- An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.
RFC 6797: https://tools.ietf.org/html/rfc6797
Change History (6)
comment:1 by , 10 years ago
Priority: | major → minor |
---|---|
Status: | new → accepted |
follow-up: 3 comment:2 by , 10 years ago
In a single HTTP/HTTPS server block, the only way to do that correct configuration is to use an if block — right?
comment:3 by , 10 years ago
Replying to Gunnlaugur Þór Briem <gunnlaugur@gmail.com>:
In a single HTTP/HTTPS server block, the only way to do that correct configuration is to use an if block — right?
No. The right way is to use the map directive.
map $scheme $hsts_header { https max-age=31536000; } server { listen 80; listen 443 ssl; add_header Strict-Transport-Security $hsts_header; }
comment:5 by , 10 years ago
While reading up on Nginx and the "add_header Strict-Transport-Security" I seen someplace that by using a later version of nginx >= 1.7.5 its possible to add the header to a single server block and the map directive is not needed?
add_header Strict-Transport-Security max-age=31536000 always;
comment:6 by , 10 years ago
I have created a module just for this: https://github.com/atomx/nginx-http-hsts
It may worth adding some simpler directive for this, like we do for expires. Not sure though.
Note well that it's matter of a correct configuration to add the header only to https responses.