Adding HSTS to nginx config
I recently changed my nginx config to redirect all http traffic to https (and all www traffic to no-www).
Would it make sense to also add add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
to my server blocks as well? Or that's unneeded since I'm already redirecting all traffic? Would be great to know the pros (and cons, if any).
In case relevant, my current virtual host configuration is:
server {
server_name example.com www.example.com;
listen 80;
return 301 https://example.com$request_uri;
}
server {
server_name www.example.com;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/cert_chain.crt;
... other SSL related config ...
return 301 https://example.com$request_uri;
}
server {
server_name example.com;
listen 443 ssl;
... other SSL related config ...
... remaining server configuration ...
}
HSTS tells the browser to always use https, rather than http. Adding that configuration may reduce the need for forwarding from http to https, so it may very slightly increase website performance and very slightly decrease server load.
For reference, here's the security headers I use on my Nginx based websites. I save this to a single file and include it from all servers that need it, including http and https servers. It allows some common resources like Google and Facebook to load.
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'self' www.google-analytics.com ajax.googleapis.com www.google.com google.com gstatic.com www.gstatic.com connect.facebook.net facebook.com;";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "origin";
Clarification
You still need the http to https redirection in place.
The accepted answer is great but has become outdated and has a flaw that I have found while researching it line-by-line.
The duration of the HSTS header must be at least three months to satisfy security requirements. I used the following in my security headers snippet to get an A+ on the SSL test:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
Secondly, use of X-Frame-Options
is deprecated (and was never supported by many/most major browsers). The current standard (ie implemented in all major modern browsers) is is Content-Security-Policy
(CSP).
add_header Content-Security-Policy 'frame-ancestors https://mywebapp.mywebsite.example';
As is evident from the example CSP headers will have to be set on a per-site basis (barring clever regex/etc that I haven't seen yet).
I would suggest specifying the always
parameter in add_header
to include this header for the internally generated error pages as well.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
As well, add the preload
directive to the response header so you can later add your website to the preload list