Reference: HTTP Strict Transport Security (HSTS) and NGINX
Header: Strict-Transport-Security
Strict-Transport-Security 格式
Strict-Transport-Security: <max-age=NUMBER>[; includeSubDomains][; preload]
-
max-age:单位:秒。 HSTS header 过期时间,一般设置为1年,即31536000秒。而每次Response Header都带上HSTS Header,则可不断刷新其过期时间。
-
includeSubDomains:需要开启HSTS的域名/子域名。
-
preload:当加入了浏览器内置Preload List时才需要设置该项。
Nginx 配置示例
server {
listen 443 ssl;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# This 'location' block inherits the STS header
location / {
root /usr/share/nginx/html;
}
# Because this 'location' block contains another 'add_header' directive,
# we must redeclare the STS header
location /servlet {
add_header X-Served-By "My Servlet Handler";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
proxy_pass http://localhost:8080;
}
}