From 7212b87f09864e264be9ef4e103a5264f4df8a5d Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Wed, 20 May 2015 15:56:19 +0300
Subject: [PATCH] roles/nginx: Adjust HSTS headers for https block of vhost
 template

I was only setting it on the PHP block, which is for all dynamic
requests (ie pages from WordPress), but it should also be the same
for all static files not served from that block.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
---
 roles/nginx/templates/https.j2 | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/roles/nginx/templates/https.j2 b/roles/nginx/templates/https.j2
index 21739ab..705fac7 100644
--- a/roles/nginx/templates/https.j2
+++ b/roles/nginx/templates/https.j2
@@ -32,5 +32,6 @@
     spdy_headers_comp 6;
 
     # Enable this if you want HSTS (recommended, but be careful)
-    add_header Strict-Transport-Security max-age=15768000 always;
-
+    # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
+    # See: https://hstspreload.appspot.com/
+    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;