roles/nginx: Parameterize HSTS header
This parameterizes the HTTP Strict Transport Security header so we can use it consistently across all templates. Also, it updates the max-age to be ~1 year in seconds, which is recommended by Google. See: https://hstspreload.org/
This commit is contained in:
parent
f85eb2841a
commit
96cefc7f74
@ -20,6 +20,10 @@ nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'
|
||||
# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
|
||||
nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'
|
||||
|
||||
# HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
|
||||
# in seconds, see: https://hstspreload.org/
|
||||
nginx_hsts_max_age: 31536000
|
||||
|
||||
# install acme.sh?
|
||||
# True unless you're in development and using "localhost" + snakeoil certs
|
||||
use_letsencrypt: True
|
||||
|
@ -51,5 +51,5 @@
|
||||
# Enable this if you want HSTS (recommended, but be careful)
|
||||
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
|
||||
# See: https://hstspreload.appspot.com/
|
||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
|
||||
add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
|
||||
{% endif %}
|
||||
|
@ -98,7 +98,7 @@ server {
|
||||
# Enable this if you want HSTS (recommended, but be careful)
|
||||
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
|
||||
# See: https://hstspreload.appspot.com/
|
||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
|
||||
add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
|
||||
{% endif %}
|
||||
|
||||
include extra-security.conf;
|
||||
|
@ -9,7 +9,7 @@
|
||||
# Enable this if you want HSTS (recommended, but be careful)
|
||||
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
|
||||
# See: https://hstspreload.appspot.com/
|
||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
|
||||
add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
@ -20,7 +20,7 @@
|
||||
# Enable this if you want HSTS (recommended, but be careful)
|
||||
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
|
||||
# See: https://hstspreload.appspot.com/
|
||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
|
||||
add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user