id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
289	Add support for HTTP Strict Transport Security (HSTS / RFC 6797)	petermap.myopenid.com		"It would be great if support for HSTS (RFC 6797) would be added to the nginx-core.

Currently HSTS is ""enabled"" like this
(according to https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security):
{{{
add_header Strict-Transport-Security max-age=31536000;
}}}

However this has at least two downsides:
1. The header is only added when the HTTP status code is 200, 204, 301, 302 or 304.
   - It would be great if the header would always be added
2. The header is added on HTTPS '''and''' HTTP responses, but according to RFC 6797 (7.2.) it should not:
   - ''An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.''


RFC 6797: https://tools.ietf.org/html/rfc6797"	enhancement	accepted	minor		nginx-core	1.3.x		HSTS, SSL, RFC 6797, header			nginx/1.1.19