Add support for HTTP Strict Transport Security (HSTS / RFC 6797)

[petermap.myopenid.com]

It would be great if support for HSTS (RFC 6797) would be added to the nginx-core.

Currently HSTS is "enabled" like this
(according to ​https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security):

add_header Strict-Transport-Security max-age=31536000;

However this has at least two downsides:

1. The header is only added when the HTTP status code is 200, 204, 301, 302 or 304.
   • It would be great if the header would always be added
2. The header is added on HTTPS and HTTP responses, but according to RFC 6797 (7.2.) it should not:
   • An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.

RFC 6797: ​https://tools.ietf.org/html/rfc6797

[Maxim Dounin]

It may worth adding some simpler directive for this, like we do for ​expires. Not sure though.

Note well that it's matter of a correct configuration to add the header only to https responses.

[Gunnlaugur Þór Briem]

In ​a single HTTP/HTTPS server block, the only way to do that correct configuration is to use an if block — right?

[Valentin V. Bartenev]

Replying to Gunnlaugur Þór Briem <gunnlaugur@gmail.com>:

In ​a single HTTP/HTTPS server block, the only way to do that correct configuration is to use an if block — right?

No. The right way is to use the ​map directive.

map $scheme $hsts_header {
    https   max-age=31536000;
}

server {
    listen  80;
    listen  443 ssl;

    add_header Strict-Transport-Security $hsts_header;
}

[Gunnlaugur Þór Briem]

Thanks!

[Jake Gaisser]

While reading up on Nginx and the "add_header Strict-Transport-Security" I seen someplace that by using a later version of Nginx 1.7.X+ its possible to add the header to a single server block and the map directive is not needed?

[dubbelboer.com/erik]

I have created a module just for this: ​https://github.com/atomx/nginx-http-hsts