Introduction#
First, understand what HSTS is.
In simple terms, it returns a response header to inform the browser that this domain and all subdomains must be accessed using https in the future. This way, the website's application does not need to perform redirections anymore, and it also enhances security.
includeSubDomains#
It is important to note that if the includeSubDomains directive is added, the HSTS rule will apply to all subdomains. For example, if this directive is added in example.com, the following subdomains will also follow this HSTS rule:
- example.com
- example.com:* any port
- *.example.com
- *.example.com:* any port
Configuring in nginx#
server {
..
# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains=false;" always;
..
}
includeSubDomains=false indicates that the rule should not apply to subdomains.
Preventing application to subdomains#
If you only want to configure the specified domain and not affect subdomains, you can add:
includeSubDomains=false;
Clearing HSTS rules applied to browsers#
If an incorrect HSTS rule has been configured and applied to browsers, there are two ways to resolve it:
- Clear all browser caches
- Add the following code to immediately invalidate it, then restart nginx:
nginx -s reload, and upon revisiting the browser, the previously set HSTS will be invalidated:add_header Strict-Transport-Security "max-age=0" always;