i want to activate HSTS on my website, i have uncommented hsts rule these rule that i have tried: add_header Strict-Transport-Security "max-age=31536000" always; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; add_header Strict-Transport-Security "max-age=31536000;"; i have nprestart too i check using curl -I MyDomain | Domain Names, Web Hosting, and Free Domain Services and also ssllabs
you're testing against html files so need to add header to /usr/local/nginx/conf/staticfiles.conf for html location context too Code: location ~* \.(html|htm|txt)$ { #add_header Pragma public; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; access_log off; expires 1d; break; }
Great, whats is the best rule? add_header Strict-Transport-Security "max-age=31536000" always; or add_header Strict-Transport-Security "max-age=31536000;"; i don't have subdomain
read Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS and RFC 6797 - HTTP Strict Transport Security (HSTS) i don't see any reference to always, where you get that from ?