roles/nginx: Use stronger HSTS header

Include subdomains in the HTTP Strict Transport Security header, and include the "preload" verb to inform Google we want to be pre- loaded into the HSTS preload. See: https://hstspreload.appspot.com/ Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-13 18:30:28 +03:00 · 2015-05-13 18:30:28 +03:00 · f9ea01ba8f
commit f9ea01ba8f
parent 3a4e7455c7
1 changed files with 3 additions and 1 deletions
--- a/roles/nginx/templates/vhost.conf.j2
+++ b/roles/nginx/templates/vhost.conf.j2
@ -69,7 +69,9 @@ server {

        {% if use_https == "yes" %}
        # Enable this if you want HSTS (recommended, but be careful)
-        add_header Strict-Transport-Security max-age=15768000 always;
+        # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
+        # See: https://hstspreload.appspot.com/
+        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload; always";
        {% endif %}

        include extra-security.conf;