Hi Developers,
nginx.hsts.conf template is wrong! the string is incomplete!
The correct string is:
add_header Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” always;
Yours is missing includeSubDomains and the preload option.
And because of that it fails the HSTS check.
Please fix it in the next release!
Thanks,
Regards
Hi @pwd
No, it isn’t.
Current conf is correct:
add_header Strict-Transport-Security "max-age=31536000;" always;
includeSubDomains and preload are optional and in my case, I don’t want any of them in my conf.
https://hstspreload.org/?domain=
Without includeSubDomains and preload the domain will not pass verification.
I don’t care that a random check says my site don’t pass an arbitrary verification.
As I said, includeSubdomains and preload are OPTIONAL.
RFC 6797 - includeSubdomains
Regarding preload, it isn’t even included in the RFC, it is an option promoted by browsers.
Oh well 
That explains everything. Thanks
Then I would just add that for those who want preloading and subdomains, there could be an option for these. Because that way, the template will only reset to the basic hsts after every update.
If you want to use those optional features you can edit script /usr/local/hestia/bin/v-add-web-domain-ssl-hsts or modify the nginx.hsts.conf file for your domain.
Here, we agree. It should be great that someone add a PR to add them as an option from panel.
If you want a permanent but manual solution, you can remove hsts for your domain and create a new conf file nginx.ssl.conf_hsts with the add_header you need and it won’t be removed either on updates or rebuilds.