Adding HSTS to nginx config

nginx https hsts

I recently changed my nginx config to redirect all http traffic to https (and all www traffic to no-www).

Would it make sense to also add add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; to my server blocks as well? Or that's unneeded since I'm already redirecting all traffic? Would be great to know the pros (and cons, if any).

In case relevant, my current virtual host configuration is:

server {
    server_name example.com www.example.com;

    listen 80;

    return 301 https://example.com$request_uri;
}

server {
    server_name www.example.com;

    listen 443 ssl;

    ssl_certificate /etc/nginx/ssl/cert_chain.crt;
    ... other SSL related config ...

    return 301 https://example.com$request_uri;
}

server {
    server_name example.com;

    listen 443 ssl;
    ... other SSL related config ...

    ... remaining server configuration ...
}

HSTS tells the browser to always use https, rather than http. Adding that configuration may reduce the need for forwarding from http to https, so it may very slightly increase website performance and very slightly decrease server load.

For reference, here's the security headers I use on my Nginx based websites. I save this to a single file and include it from all servers that need it, including http and https servers. It allows some common resources like Google and Facebook to load.

# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'self' www.google-analytics.com ajax.googleapis.com www.google.com google.com gstatic.com www.gstatic.com connect.facebook.net facebook.com;";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "origin";

Clarification

You still need the http to https redirection in place.


The accepted answer is great but has become outdated and has a flaw that I have found while researching it line-by-line.

The duration of the HSTS header must be at least three months to satisfy security requirements. I used the following in my security headers snippet to get an A+ on the SSL test:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

Secondly, use of X-Frame-Options is deprecated (and was never supported by many/most major browsers). The current standard (ie implemented in all major modern browsers) is is Content-Security-Policy (CSP).

add_header Content-Security-Policy 'frame-ancestors https://mywebapp.mywebsite.example';

As is evident from the example CSP headers will have to be set on a per-site basis (barring clever regex/etc that I haven't seen yet).


I would suggest specifying the always parameter in add_header to include this header for the internally generated error pages as well.

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

As well, add the preload directive to the response header so you can later add your website to the preload list

Related

How do I ask "dig" to only return the IP from a CNAME record?
How to migrate from SQL Server 2005 to 2008
Preventing Mac OS X clients from polluting Windows shares with resource forks
Send email when anyone logs on
How to migrate a BIND DNS server to new hardware?
Automatically sync all zones between BIND 9
SyncToy alternative for Windows 7 - synchronise folder with network drive
Why an empty MAIL FROM address can sent out email?
Where to maintain central source repository?
fdisk - partition in single line
Software to diagnose (ping) a network over 24h?
Why is nat required when proxy is enough? [closed]