nginx – enforce https with hsts

HSTS stands for http strict transport security. This means that if you go to a website over http the browser recognizes that this website is available in ssl encryption (https). then the browser directly enforces the https connection without sending any kind of unencrypted request to the nginx server (this is different from a normal http referrer in the vhost config). after that your browser saves a kind of cookie including a ttl (time to live) which will forward you instantly to the https website.

put this line in your http block in the nginx.conf (31536000 is one year in seconds)

nano /etc/nginx/nginx.conf

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;

if you visit this http page via your browser and reload the website it enforces the https connection and sets the „cookie“.

when you visit the website again with http you’ll get instantly directed to https. in my case i haven’t configured the ssl certificate/vhost for this domain yet, so i get this nice error (but you see that hsts is working correctly):

Diese Website verwendet HTTP Strict Transport Security (HSTS), um mitzuteilen, dass Firefox nur über gesicherte Verbindungen mit ihr kommunizieren soll. Daher ist es nicht möglich, eine Ausnahme für dieses Zertifikat anzulegen.

 

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.