Uncategorized

NGINX HSTS Header

Photo of admin admin Send an email January 5, 2022
0 272 8 minutes read
NGINX HSTS Header

HTTP Strict Transport Security (HSTS) protects against HTTP downgrade attacks by forcing browsers to only make secure connections with your domain. Adding NGINX HSTS is similar to and designed to work with SSL redirects. The HSTS header embeds the redirect code within the user’s web browser. The security HTTP header is supported by the most popular web browsers today, including the KaiOS browser.

Implementing the NGINX HSTS header prevents users from overriding invalid or self-signed certificate warnings. Your website will become inaccessible without a valid SSL certificate.

This is the most secure HSTS header with every directive enabled:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Let’s break down each directive of the HSTS header.

max-age: Specifies how long the header will be active in seconds. This is the only required directive. This must be set to “31536000” to be eligible for HSTS preloading.

includeSubDomains: Applies HSTS to all subdomains. If you add this optional directive, you’ll need to ensure any subdomains used for development and staging purposes have valid SSLs installed.

Preload: Authorizes preload listing in web browsers if eligible. By default, the user must visit your website for the browser to save the header for subsequent visits. That means the user is still vulnerable to HTTP downgrade attacks upon the first visit. To account for this, popular browsers ship with a text file containing every domain submitted to “preload” the HSTS header.

Preloading is a two-step process. First you must add “preload” to your HSTS header. The max-age must comply with current standards as well. Then, you must submit your domain at https://hstspreload.org.

Preloading is most beneficial for larger businesses that have the ability to ensure the domain (and subdomains if applicable) always have a valid SSL. It can take up to six months for a submitted domain to be added to the preload list. It can take even longer to remove it between email inquiries and updates to supported browsers.

Adding NGINX HSTS in SSH

After you log into SSH, edit the NGINX server configuration file for the domain. If you only have one domain on the server, edit the default NGINX configuration file:

sudo nano /etc/nginx/sites-enabled/default

Add the following line directly under the “listen” lines (remove “; preload” if not needed):

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Remember, the max-age must be at least 1 year (31536000 seconds) for HSTS preloading.

Here’s an example of the how this might look in your configuration file:

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

After you save your changes, restart NGINX:

systemctl restart nginx

Check your server HTTP headers.

curl --head localhost

The HSTS header should display near the bottom.

HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Thu, 09 Dec 2021 16:28:01 GMT
Content-Type: text/html
Content-Length: 10701
Last-Modified: Tue, 03 Aug 2021 14:28:03 GMT
Connection: keep-alive
ETag: "00000000-12ab"
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Accept-Ranges: bytes

If you have to clear system caching and want to double-check from a PC, you can use wget which will follow any redirects automatically:

wget --server-response --spider example.com

Want to learn more about hardening your NGINX web server? Check out our guide on how to hide your NGINX server version.

 

Learn More 1
Learn More 2
Learn More 3
Learn More 4
Learn More 5
Learn More 6
Learn More 7
Learn More 8
Learn More 9
Learn More 10
Learn More 11
Learn More 12
Learn More 13
Learn More 14
Learn More 15
Learn More 16
Learn More 17
Learn More 18
Learn More 19
Learn More 20
Learn More 21
Learn More 22
Learn More 23
Learn More 24
Learn More 25
Learn More 26
Learn More 27
Learn More 28
Learn More 29
Learn More 30
Learn More 31
Learn More 32
Learn More 33
Learn More 34
Learn More 35
Learn More 36
Learn More 37
Learn More 38
Learn More 39
Learn More 40
Learn More 41
Learn More 42
Learn More 43
Learn More 44
Learn More 45
Learn More 46
Learn More 47
Learn More 48
Learn More 49
Learn More 50
Learn More 51
Learn More 52
Learn More 53
Learn More 54
Learn More 55
Learn More 56
Learn More 57
Learn More 58
Learn More 59
Learn More 60
Learn More 61
Learn More 62
Learn More 63
Learn More 64
Learn More 65
Learn More 66
Learn More 67
Learn More 68
Learn More 69
Learn More 70
Learn More 71
Learn More 72
Learn More 73
Learn More 74
Learn More 75
Learn More 76
Learn More 77
Learn More 78
Learn More 79
Learn More 80
Learn More 81
Learn More 82
Learn More 83
Learn More 84
Learn More 85
Learn More 86
Learn More 87
Learn More 88
Learn More 89
Learn More 90
Learn More 91
Learn More 92
Learn More 93
Learn More 94
Learn More 95
Learn More 96
Learn More 97
Learn More 98
Learn More 99
Learn More 100
Learn More 101
Learn More 102
Learn More 103
Learn More 104
Learn More 105
Learn More 106
Learn More 107
Learn More 108
Learn More 109
Learn More 110
Learn More 111
Learn More 112
Learn More 113
Learn More 114
Learn More 115
Learn More 116
Learn More 117
Learn More 118
Learn More 119
Learn More 120
Learn More 121
Learn More 122
Learn More 123
Learn More 124
Learn More 125
Learn More 126
Learn More 127
Learn More 128
Learn More 129
Learn More 130
Learn More 131
Learn More 132
Learn More 133
Learn More 134
Learn More 135
Learn More 136
Learn More 137
Learn More 138
Learn More 139
Learn More 140
Learn More 141
Learn More 142
Learn More 143
Learn More 144
Learn More 145
Learn More 146
Learn More 147
Learn More 148
Learn More 149
Learn More 150
Learn More 151
Learn More 152
Learn More 153
Learn More 154
Learn More 155
Learn More 156
Learn More 157
Learn More 158
Learn More 159
Learn More 160
Learn More 161
Learn More 162
Learn More 163
Learn More 164
Learn More 165
Learn More 166
Learn More 167
Learn More 168
Learn More 169
Learn More 170
Learn More 171
Learn More 172
Learn More 173
Learn More 174
Learn More 175
Learn More 176
Learn More 177
Learn More 178
Learn More 179
Learn More 180
Learn More 181
Learn More 182
Learn More 183
Learn More 184
Learn More 185
Learn More 186
Learn More 187
Learn More 188
Learn More 189
Learn More 190
Learn More 191
Learn More 192
Learn More 193
Learn More 194
Learn More 195
Learn More 196
Learn More 197
Learn More 198
Learn More 199
Learn More 200
Learn More 201
Learn More 202
Learn More 203
Learn More 204
Learn More 205
Learn More 206
Learn More 207
Learn More 208
Learn More 209
Learn More 210
Learn More 211
Learn More 212
Learn More 213
Learn More 214
Learn More 215
Learn More 216
Learn More 217
Learn More 218
Learn More 219
Learn More 220
Learn More 221
Learn More 222
Learn More 223
Learn More 224
Learn More 225
Learn More 226
Learn More 227
Learn More 228
Learn More 229
Learn More 230
Learn More 231
Learn More 232
Learn More 233
Learn More 234
Learn More 235
Learn More 236
Learn More 237
Learn More 238
Learn More 239
Learn More 240
Learn More 241
Learn More 242
Learn More 243
Learn More 244
Learn More 245
Learn More 246
Learn More 247
Learn More 248
Learn More 249
Learn More 250
Learn More 251
Learn More 252
Learn More 253
Learn More 254
Learn More 255
Learn More 256
Learn More 257
Learn More 258
Learn More 259
Learn More 260
Learn More 261
Learn More 262
Learn More 263
Learn More 264
Learn More 265
Learn More 266
Learn More 267
Learn More 268
Learn More 269
Learn More 270
Learn More 271
Learn More 272
Learn More 273
Learn More 274
Learn More 275
Learn More 276
Learn More 277
Learn More 278
Learn More 279
Learn More 280
Learn More 281
Learn More 282
Learn More 283
Learn More 284
Learn More 285
Learn More 286
Learn More 287
Learn More 288
Learn More 289
Learn More 290
Learn More 291
Learn More 292
Learn More 293
Learn More 294
Learn More 295
Learn More 296
Learn More 297
Learn More 298
Learn More 299
Learn More 300
Learn More 301
Learn More 302
Learn More 303
Learn More 304
Learn More 305
Learn More 306
Learn More 307
Learn More 308
Learn More 309
Learn More 310
Learn More 311
Learn More 312
Learn More 313
Learn More 314
Learn More 315
Learn More 316
Learn More 317
Learn More 318
Learn More 319
Learn More 320
Learn More 321
Learn More 322
Learn More 323
Learn More 324
Learn More 325
Learn More 326
Learn More 327
Learn More 328
Learn More 329
Learn More 330
Learn More 331
Learn More 332
Learn More 333
Learn More 334
Learn More 335
Learn More 336
Learn More 337
Learn More 338
Learn More 339
Learn More 340
Learn More 341
Learn More 342
Learn More 343
Learn More 344
Learn More 345
Learn More 346
Learn More 347
Learn More 348
Learn More 349
Learn More 350
Learn More 351
Learn More 352
Learn More 353
Learn More 354
Learn More 355
Learn More 356
Learn More 357
Learn More 358
Learn More 359
Learn More 360
Learn More 361
Learn More 362
Learn More 363
Learn More 364
Learn More 365
Learn More 366
Learn More 367
Learn More 368
Learn More 369
Learn More 370
Learn More 371
Learn More 372
Learn More 373
Learn More 374
Learn More 375
Learn More 376
Learn More 377
Learn More 378
Learn More 379
Learn More 380
Learn More 381
Learn More 382
Learn More 383
Learn More 384
Learn More 385
Learn More 386
Learn More 387
Learn More 388
Learn More 389
Learn More 390
Learn More 391
Learn More 392
Learn More 393
Learn More 394
Learn More 395
Learn More 396
Learn More 397
Learn More 398
Learn More 399
Learn More 400
Learn More 401
Learn More 402
Learn More 403
Learn More 404
Learn More 405
Learn More 406
Learn More 407
Learn More 408
Learn More 409
Learn More 410
Learn More 411
Learn More 412
Learn More 413
Learn More 414
Learn More 415
Learn More 416
Learn More 417
Learn More 418
Learn More 419
Learn More 420
Learn More 421
Learn More 422
Learn More 423
Learn More 424
Learn More 425
Learn More 426
Learn More 427
Learn More 428
Learn More 429
Learn More 430
Learn More 431
Learn More 432
Learn More 433
Learn More 434
Learn More 435
Learn More 436
Learn More 437
Learn More 438
Learn More 439
Learn More 440
Learn More 441
Learn More 442
Learn More 443
Learn More 444
Learn More 445
Learn More 446
Learn More 447
Learn More 448
Learn More 449
Learn More 450
Learn More 451
Learn More 452
Learn More 453
Learn More 454
Learn More 455
Learn More 456
Learn More 457
Learn More 458
Learn More 459
Learn More 460
Learn More 461
Learn More 462
Learn More 463
Learn More 464
Learn More 465
Learn More 466
Learn More 467
Learn More 468
Learn More 469
Learn More 470
Learn More 471
Learn More 472
Learn More 473
Learn More 474
Learn More 475
Learn More 476
Learn More 477
Learn More 478
Learn More 479
Learn More 480
Learn More 481
Learn More 482
Learn More 483
Learn More 484
Learn More 485
Learn More 486
Learn More 487
Learn More 488
Learn More 489
Learn More 490
Learn More 491
Learn More 492
Learn More 493
Learn More 494
Learn More 495
Learn More 496
Learn More 497
Learn More 498
Learn More 499
Learn More 500

Photo of admin admin Send an email January 5, 2022
0 272 8 minutes read
Photo of admin

admin

Related Articles

Controlling PWM fans with the Raspberry Pi CM4 IO Board’s EMC2301

January 9, 2022

Mini-ITX Seaberry adds 11 PCIe slots to a Raspberry Pi

January 9, 2022

Turing Pi 2: 4 Raspberry Pi nodes on a mini ITX board

January 9, 2022

Install Python 3.9 on Raspberry Pi OS or Debian 10 (for Ansible or other uses)

January 9, 2022

Leave a Reply

Back to top button