Really Simple SSL

HSTS and NGINX

Mark

Mark

Share on facebook
Share on twitter
Share on linkedin

HSTS and NGINX notice when your website is cached

Since Really Simple SSL pro 2.0.8 the plugin shows a notice about adding the HSTS header to the NGINX configuration when NGINX is detected as webserver. If the plugin detects NGINX, an HSTS header is inserted using PHP. While this does work in most cases it can cause issues when using caching. We therefore recommend to set the HSTS header directly in the NGINX configuration.

Depending if you want to enable preloading for your website, one of these two headers can be added to the server block in your NGINX configuration:

Without preload:
add_header Strict-Transport-Security: max-age=31536000

With preload:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

For more information about configuring HSTS and NGINX check out this article by NGINX

Related articles

3 Responses

  1. Hi, I use the Pro version on my WordPress at TransIP. Although they support modifying the .htaccess file, the hsts is ingored. They do not use NGINX, but Apache.

    Is it possible to get this from Really Simple SSL Pro:
    Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

    When all is set in the plugin and I want to add my site to the HSTS Preload List, it gives two errors:

    Error: No includeSubDomains directive
    The header must contain the `includeSubDomains` directive.

    Error: No preload directive
    The header must contain the `preload` directive.

    Checking from my XS4ALL shell, it indeed does not show it:

    curl -I https://www.cadra.nl
    HTTP/1.1 200 OK
    Date: Fri, 12 Apr 2019 10:10:14 GMT
    Server: Apache
    Strict-Transport-Security: max-age=31536000

    How can I see the “includeSubDomains” too?

    Regards, Sigurd

    1. Hi Sigurd,

      The include subdomains option will show when you enable HSTS preload. Coincidentally, I’ve seen this issue with transip before. Strangely transip does not support HSTS in the .htaccess file. You can only enable it by using the PHP headers. To use this, you need to use a trick: if you disable the option, then set the .htaccess file to not writable, then enable the option again, the plugin will detect this, and set the HSTS header in PHP.

      Let me know if this helps!

      1. Hi Rogier, sorry for the delay. I did not see a notification of your reply and decided today to check.

        Thanks for the suggestion. It works indeed and it is now visible with subdomains.

        You helped me before finding that .htaccess did not support HSTS. I’ve tried it again this month and it looks like they sort of whitelist the .htaccess.

Leave a Reply

Subscribe