HSTS max-age not effective/no update in Nginx

ehsan_kabiri_33

12/14/22, 6:42 AM

Using Debian10 and a fresh/new Nginx1.20.1, when I check: curl -I https://example.com I get Strict-Transport-Security: max-age=2592000 and when I check my website in https://www.ssllabs.com/ssltest/analyze.html, I see the result as

Strict Transport Security (HSTS) Yes TOO SHORT (less than 180 days) max-age=2592000

I searched all my nginx.conf and all included files, but I can't find the directive add_header Strict-Transport-Security ....

So, I added the following line to my server block, http block, location block, all of them, one of them , tested different cases:

add_header Strict-Transport-Security "max-age=41536000; includeSubDomains; preload" always;

and again checked in the above link and the result was :

Strict Transport Security (HSTS) Invalid Server provided more than one HSTS header

Good to say that, in both of the above cases, when I check response header in firefox browser, max-age is 2592000 and again my newly added directive does not come into effect!

I'm using cloudeflare as my DNS-server, so I enabled/disabled HSTS in my dashboard but no changes observed.

Let me now how could I find the default value of Strict-Transport-Security max-age in Nginx and how to change it effectively.

250

2 + 1

nginx

Pothi Kalimuthu

12/14/22, 7:10 AM

If it is from Nginx, it may be shown with the following command... `sudo nginx -T | grep -i Strict-Transport-Security`.

Score:3

Server

Tero Kilkanen

12/14/22, 8:34 AM

Cloudflare is the TLS terminating endpoint that rest of the world sees. Therefore it sets the HSTS headers. The origin HSTS headers are ignored by Cloudflare.

You need to modify the HSTS settings in Cloudflare control panel.

0 + 1

ehsan_kabiri_33

12/14/22, 4:00 PM

Thank, but as i said in the question the problem is : `I'm using cloudeflare as my DNS-server, so I enabled/disabled HSTS in my dashboard but no changes observed`, I changed max-age and cleared everything in my browser and checked by curl and online-TSLcheckers, but always max-age is 2592000

Score:0

Server

ehsan_kabiri_33

12/14/22, 4:10 PM

My webApp is made by ASP.net core and it has a default value of 30 days for HSTS, when HTTPS was enabled in startup.cs. This made the nginx configurations to be tempted as duplication and some error in analyzers.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: HSTS max-age not effective/no update in Nginx

TH: HSTS max-age ไม่มีผล/ไม่มีการอัปเดตใน Nginx

RO: Vârsta maximă HSTS nu este eficientă/nicio actualizare în Nginx

RU: Максимальный возраст HSTS не эффективен/нет обновлений в Nginx

VI: Tuổi tối đa HSTS không hiệu quả/không cập nhật trong Nginx

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.