Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HSTS settings in examples.conf #109

Closed
TommiContursi opened this issue Sep 17, 2019 · 2 comments · Fixed by #136
Closed

HSTS settings in examples.conf #109

TommiContursi opened this issue Sep 17, 2019 · 2 comments · Fixed by #136
Assignees
@ottok

Comments

@TommiContursi
Copy link

I noticed this line has an extra colon inside the quotation marks, and that might affect how browsers parse this header. That colon is probably leftover when 'includeSubDomains; preload' has deleted there. Also, the HSTS header should be sent only over HTTPS and has no effect over HTTP.

#add_header Strict-Transport-Security "max-age=63072000;";
@ottok
Copy link
Contributor

ottok commented May 26, 2020

Sorry, we seem to have overlooked this bug report. I will fix it now. Thanks for reporting!

@ottok ottok self-assigned this May 26, 2020
ottok added a commit that referenced this issue May 26, 2020
@ottok
Update nginx/examples.conf for 2020 best practices
b166c9a 
Document the many alternative ways to achieve the same things as mentioned
in the examples.conf. Most of the time we probably don't want users to
create custom Nginx configs if there are easier and more flexible or more
reliable ways to achieve the same in PHP or WordPress itself.

Also fix colon in HSTS example (Closes: #109).
@ottok ottok mentioned this issue May 26, 2020
Merged
@ottok
Copy link
Contributor

ottok commented May 26, 2020

Actually, Seravo.com has been using all the time this:

add_header Strict-Transport-Security "max-age=63072000;";

..and it works just fine (and yields A+ status in ssllabs.com).

$ curl -ILs seravo.com | grep strict-trans
strict-transport-security: max-age=63072000;

The extra colon does not hurt anything. Do you have some cases where it would cause issues?

ottok added a commit that referenced this issue May 26, 2020
@ottok
Update nginx/examples.conf for 2020 best practices
7456b0a 
Document the many alternative ways to achieve the same things as mentioned
in the examples.conf. Most of the time we probably don't want users to
create custom Nginx configs if there are easier and more flexible or more
reliable ways to achieve the same in PHP or WordPress itself.

PageSpeed example is dropped since it isn't much useful anymore in 2020.

Also fix colon in HSTS example (Closes: #109).
@ottok ottok closed this as completed in 5d0f8d7 Jun 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ottok ottok

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update nginx/examples.conf for 2020 best practices Seravo/wordpress
2 participants
@ottok @TommiContursi