Jesin's Blog

Welcome to the Portal of Technology

  • Facebook
  • GitHub
  • Google+
  • RSS
  • Twitter
  • Home
  • Categories
    • Domains
    • Linux
    • Networking
    • PHP
    • Virtualization
    • Web Design
    • Web Servers
    • Windows
  • WordPress Plugins
    • Custom Error Pages
    • HTTP Digest Authentication
    • Mailgun Email Validator
  • Toolbox
    • DNS Lookup Tool
    • htdigest Generator Tool Online
    • htpasswd Generator Tool Online
    • HTTP Headers Lookup Tool
    • MD5 Encryption Tool
    • Open Port Check Tool
    • SHA-1 Encryption Tool
    • URL Encoding/Decoding Tool
  • About Me
  • Contact Me
  • Sitemap
Home ›
Web Servers ›
How to add the HSTS header only for HTTPS requests on Nginx

How to add the HSTS header only for HTTPS requests on Nginx

September 22, 2016 Web Servers Jesin A Leave a Comment

security padlock

HTTP Strict Transport Security is a mechanism through which web servers declare themselves to be accessible only over secure connections (HTTPS). This mechanism is implemented by configuring the web server to send a HSTS header in its responses. A typical HSTS header looks like the following:

Strict-Transport-Security: max-age=31536000; includeSubDomains

The RFC standard for HTTP Strict Transport Security – RFC6797 specifies under Section 7.2 that a web server should not include this header in plain-text HTTP responses.

From section 7.2:

An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.

One way of doing this on Nginx is to place the add_header directive inside an if block. However add_header requires the if to be inside a location block. This can become cumbersome if you have multiple location blocks in your Nginx config file. I came across the follow elegant solution in an old Nginx TRAC ticket.

map $scheme $hsts_header {
    https   "max-age=31536000; includeSubDomains";
}

server {
    listen  80;
    listen  443 ssl;

    add_header Strict-Transport-Security $hsts_header;

    # Rest of the virtual host configuration
    # [...]
}

Edit your virtual host file and place the map block above the server block. Add the add_header directive inside the server block. Do a configuration test and reload Nginx if successful.

sudo service nginx configtest
sudo service nginx reload

More information about the Nginx map directive can be found here – http://nginx.org/en/docs/http/ngx_http_map_module.html#map.

Related posts:

php category thumbnailRedirecting WordPress archives to a page wordpress custom 403 error pageCustom 403 and 401 error pages in WordPress How to setup AutoSSL on a free ServerPilot plan Default ThumbnailFix the client intended to send too large body nginx error php category thumbnailCreating a PHP MySQL Login Page Script

Tags: nginx, ssl

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get a wealth of information delivered to your inbox. Subscribe and never miss a single article.

  • Tutorials and howtos
  • Code, scripts and commands
  • Online Tools

* No spam, unsubscribe anytime

Hire Me

  • SSL installation and hardening (A+ on Qualys SSL test)
  • Apache & Nginx configuration
  • Email deliverability improvement (10/10 on Mail Tester & MailGenius)
  • WordPress customization, optimization and migration
  • and much more…

    Tools

    • DNS Lookup Tool
    • htdigest Generator Tool Online
    • htpasswd Generator Tool Online
    • HTTP Headers Lookup Tool
    • MD5 Encryption Tool
    • Open Port Check Tool
    • SHA-1 Encryption Tool
    • URL Encoding/Decoding Tool

    Nav

    • Home
    • About Me
    • Contact Me
    • Privacy Policy
    • Sitemap
    Vultr SSD VPS

    Creative Commons License
    Jesin's Blog by Jesin A is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
    Based on a work at websistent.com.