Nginx - Configuring HTTP Strict Transport Security

With the following configuration, the Nginx web server can be configured to support HTTP Strict Transport Security (HSTS).

The header must be set per website, the configuration file is usually found in /etc/nginx/sites-available/.

server {
listen 443 ssl default deferred;
# config to enable HSTS(HTTP Strict Transport Security)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";

The addition of the includeSubDomains option ensures that the browser for all subdomains of the domain will connect via HTTPS. Omitting this option prevents that, but is not recommended. After reloading the Nginx configuration, a header will be presented to the browser of every visitor with an expiry time of 63072000 seconds (2 years). This Strict-Transport-Security header should only be added to the HTTPS (:443) configuration, and not in the HTTP (:80) version.


Our SSLCheck will examine your website's root and intermediate certificates for correctness and report any potential issues

point up