Change HSTS header per site or globally

2026-02-24 09:03:29 +07:00 · 2020-02-04 13:06:26 +01:00
parent 93b90c748f
commit 1e7a0fc855
7 changed files with 6 additions and 2 deletions
--- a/templates/etc/nginx/helper/ssl-legacy.j2
+++ b/templates/etc/nginx/helper/ssl-legacy.j2
@@ -9,7 +9,6 @@ ssl_session_cache shared:SSL:10m;
 ssl_session_tickets off;
 ssl_stapling on;
 ssl_stapling_verify on;
-add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
 resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
 resolver_timeout {{ nginx_resolver_timeout }};
 ssl_dhparam {{ nginx_dh_path }};
--- a/templates/etc/nginx/helper/ssl-strong.j2
+++ b/templates/etc/nginx/helper/ssl-strong.j2
@@ -11,7 +11,6 @@ ssl_session_cache shared:SSL:10m;
 ssl_session_tickets off;
 ssl_stapling on;
 ssl_stapling_verify on;
-add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
 resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
 resolver_timeout {{ nginx_resolver_timeout }};
 ssl_dhparam {{ nginx_dh_path }};
--- a/templates/etc/nginx/sites-available/_base.j2
+++ b/templates/etc/nginx/sites-available/_base.j2
@@ -89,6 +89,7 @@ server {
 {{ ssl(__ssl_name) }}
 {% if item.ssl_template is not defined or item.ssl_template != false %}
 	include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }};
+	add_header Strict-Transport-Security "{{ item.hsts | default(nginx_default_hsts) }}" always;
 {% endif %}
 {% endif %}
 	server_name {{ server_name(item.name) }};
@@ -217,6 +218,7 @@ server {
 {{ ssl(__ssl_name) }}
 {% if item.ssl_template is not defined or item.ssl_template != false %}
 	include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }};
+	add_header Strict-Transport-Security "{{ item.hsts | default(nginx_default_hsts) }}" always;
 {% endif %}
 	server_name {{ server_name(item.redirect_from) }};
 	location / {