Strict Transport Security misconfiguration in nginx webserver

[kaushalshriyan]

./testssl.sh --version

###########################################################
testssl.sh 3.0.5 from https://testssl.sh/
(e0c83b2 2020-02-24 14:21:28 -- )

  This program is free software. Distribution and
         modification under GPLv2 permitted.
  USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

   Please file bugs @ https://testssl.sh/bugs/

###########################################################

Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
on MacBook-Pro:./bin/openssl.Darwin.x86_64
(built: "Feb 22 09:55:43 2019", platform: "darwin64-x86_64-cc")`

Currently, I am encountering the below issue

Testing HTTP header response @ "/"

HTTP Status Code 200 OK
HTTP clock skew -427323 sec from localtime
Strict Transport Security misconfiguration: Strict-Transport-Security 2x -- checking first one only
365 days=31536000 s, includeSubDomains
Public Key Pinning --
Server banner nginx
Application banner --
Cookie(s) (none issued at "/")
Security headers X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-UA-Compatible: IE=edge
Cache-Control: max-age=21600, public
X-XSS-Protection: 1; mode=block
Reverse Proxy banner --

I have added add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; "; in /etc/nginx/nginx.com file. I am using the below command to run the TLS test.

./testssl.sh --htmlfile developerportaltest.mydomain.com.date +%F.T1.html developerportaltest.mydomain.com

Please suggest.

[drwetter]

Don't understand what is your point is?

If it says 2x it is two times. Maybe your application sets this header flag too. That part of your story is completely missing.

If it's a bug I am happy to reopen