From d694616cf3a21f63a758795c3d7ae342f356d6c5 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Sun, 20 Nov 2016 17:22:47 +0200
Subject: [PATCH] roles/nginx: Make sure to set HSTS headers on WordPress
 static files

I realized the other day that due to complex logic in the location
blocks, various WordPress static files like images and stylesheets
didn't get the HTTP Strict Transport Security header set. We need
to include it on each level where we are setting headers, because
nginx overwrites headers if you set them again in a child block.
---
 roles/nginx/templates/wordpress.j2 | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/roles/nginx/templates/wordpress.j2 b/roles/nginx/templates/wordpress.j2
index dd65a39..8d6e2ac 100644
--- a/roles/nginx/templates/wordpress.j2
+++ b/roles/nginx/templates/wordpress.j2
@@ -4,10 +4,24 @@
     # also serves static files from the disk instead of passing to interpreter.
     location / {
         try_files $uri $uri/ /index.php?$args;
+
+        {% if enable_hsts == True %}
+        # Enable this if you want HSTS (recommended, but be careful)
+        # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
+        # See: https://hstspreload.appspot.com/
+        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
+        {% endif %}
     }
 
     location ~* \.(?:ico|css|js|gif|jpe?g|png|svg)$ {
         add_header Cache-Control "max-age=604800";
+
+        {% if enable_hsts == True %}
+        # Enable this if you want HSTS (recommended, but be careful)
+        # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
+        # See: https://hstspreload.appspot.com/
+        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
+        {% endif %}
     }   
 
     # Add trailing slash to */wp-admin requests.