From f9ea01ba8fae59d60573f8177b52fcbd2b73b698 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Wed, 13 May 2015 18:30:28 +0300
Subject: [PATCH] roles/nginx: Use stronger HSTS header

Include subdomains in the HTTP Strict Transport Security header,
and include the "preload" verb to inform Google we want to be pre-
loaded into the HSTS preload.

See: https://hstspreload.appspot.com/

Signed-off-by: Alan Orth <alan.orth@gmail.com>
---
 roles/nginx/templates/vhost.conf.j2 | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/roles/nginx/templates/vhost.conf.j2 b/roles/nginx/templates/vhost.conf.j2
index 8688305..16054b8 100644
--- a/roles/nginx/templates/vhost.conf.j2
+++ b/roles/nginx/templates/vhost.conf.j2
@@ -69,7 +69,9 @@ server {
 
         {% if use_https == "yes" %}
         # Enable this if you want HSTS (recommended, but be careful)
-        add_header Strict-Transport-Security max-age=15768000 always;
+        # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
+        # See: https://hstspreload.appspot.com/
+        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload; always";
         {% endif %}
 
         include extra-security.conf;