Nginx.hsts.conf template is wrong

Hi Developers,

nginx.hsts.conf template is wrong! the string is incomplete!

The correct string is:

add_header Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” always;

Yours is missing includeSubDomains and the preload option.
And because of that it fails the HSTS check.
Please fix it in the next release!
Thanks,
Regards

Hi @pwd

No, it isn’t.

Current conf is correct:

add_header Strict-Transport-Security "max-age=31536000;" always;

includeSubDomains and preload are optional and in my case, I don’t want any of them in my conf.

1 Like

https://hstspreload.org/?domain=

Without includeSubDomains and preload the domain will not pass verification.

I don’t care that a random check says my site don’t pass an arbitrary verification.

As I said, includeSubdomains and preload are OPTIONAL.

RFC 6797 - includeSubdomains

Regarding preload, it isn’t even included in the RFC, it is an option promoted by browsers.

1 Like

Oh well :smiley: That explains everything. Thanks

Then I would just add that for those who want preloading and subdomains, there could be an option for these. Because that way, the template will only reset to the basic hsts after every update.

If you want to use those optional features you can edit script /usr/local/hestia/bin/v-add-web-domain-ssl-hsts or modify the nginx.hsts.conf file for your domain.

Here, we agree. It should be great that someone add a PR to add them as an option from panel.

If you want a permanent but manual solution, you can remove hsts for your domain and create a new conf file nginx.ssl.conf_hsts with the add_header you need and it won’t be removed either on updates or rebuilds.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.