roles/nginx: Use stronger HSTS header

Include subdomains in the HTTP Strict Transport Security header,
and include the "preload" verb to inform Google we want to be pre-
loaded into the HSTS preload.

See: https://hstspreload.appspot.com/

Signed-off-by: Alan Orth <alan.orth@gmail.com>
This commit is contained in:
Alan Orth 2015-05-13 18:30:28 +03:00
parent 3a4e7455c7
commit f9ea01ba8f

View File

@ -69,7 +69,9 @@ server {
{% if use_https == "yes" %}
# Enable this if you want HSTS (recommended, but be careful)
add_header Strict-Transport-Security max-age=15768000 always;
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload; always";
{% endif %}
include extra-security.conf;