How do I setup HSTS in NGINX?

DocumentationServer > How do I setup HSTS in NGINX?

HTTP Strict Transport Security is ment to protect your website against protocol downgrade attacks. (HTTP over HTTPS requests)

This will declare to use HTTPS only, this will also require you to have a valid SSL certificate at all times. If you do not have a certificate or it is expired, people will not be able to visit your website. (As your webserver is telling people to require SSL by HSTS which is not present/valid)

To do this, we will be adding the following header to your site configuration file:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

In SSH (or by "Edit NGINX Configuration" inside the "Manage" tab on site level) add this inside the server{} block. E.g.:

server {

  server_name example.com

  # Add HSTS header
  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";
  
}

Be sure to have an SSL certificate setup, otherwise you will encounter errors and visitors will not be able to visit your website.

After this has been setup, we recommend you submit your website hostname to this website: https://hstspreload.org/

This is a preload submission list for Chrome, where other known browsers also work with (like FireFox, Internet Explorer, Opera, Safari). 

14 May 2019
413 views