Implement securityheaders.com security?

HSTS header isn't enabled by default as improperly enabling it and not understanding implications of enabling HSTS headers can cause you to DOS attack your own site - denial of service. For example, if you enabled HSTS with max-age = 1yr with include subdomains, it means you're telling web browsers only allow HTTPS version of your site to be accessed to visitors for every domain and subdomain *.domain.com and make it valid and enforceable for 1yr. Removing the HSTS after enabling won't help, as it's permanently cached in a web browser unless visitor clears their HSTS cache.

Any subdomain or any non-subdomain without HTTPS SSL certificate will be denied access to your site for that 1yr period. So if you only had intention to enable HTTPS for say domain.com, www.domain.com and blog.domain.com but no intention for HTTPS for say host.domain.com, but you enable HSTS with include subdomain option - then you won't be able to access host.domain.com for that full 1yr period and any visitors won't be able to either as it's HSTS flag is cached in each visitor's web browser and you can't clear it on web server or your end. You effectively have DOS attacked your own site and prevented every visitor from accessing non-HTTPS host.domain.com for that 1yr. Sure you can get visitors to clear their HSTS browser cache as outlined below. But how many are tech savy enough and how do you notify those visitors if they can't access host.domain.com ?

So I leave HSTS add_headers commented out/disabled in Centmin Mod created nginx vhosts by default and let end users like yourself decide if they want to enable HSTS.

Same goes with other security headers, they have an entry left commented out/disabled in nginx vhosts created by Centmin Mod. But they have their own similar implications and consequences for enabling which may affect how your web site functions so you'd need to know what these security headers do and there consequences.

See Enabling HSTS for SSL for specifics

As accessing host.domain.com is usually reserved for stats and admin pages the Centmin Mod LEMP stack owner only needs to access, you can just clear your web browser's HSTS record for the domain.com and host.domain.com so the web browser no longer redirects from HTTP to HTTPS. I posted a thread at SSL - How to clear HSTS browser cache | Centmin Mod Community specifically for this

With that said, if you know what these security headers do and their consequences, enable them. I have for this forum https://securityheaders.com/?q=https://community.centminmod.com/&hide=on&followRedirects=on

 

You're welcome