Author Topic: nginx - HSTS (Read 4776 times)

Oxima69 · « **on:** March 29, 2019, 09:27:07 am »

Hi,

Since version 1.8

Quote

HSTS not sent automatically anymore if HTTP over TLS is configured (still available via security header)

I guess there's a little problem here.

after activation via security header the nginx.conf has the following entry

add_header Strict-Transport-Security "15768000" always;
max-age is missing ?

it should be

add_header Strict-Transport-Security "max-age=15768000" always;
Or do I get something wrong......

fabian · « **Reply #1 on:** March 29, 2019, 05:36:31 pm »

that's a bug which I will fix

fabian · « **Reply #2 on:** March 29, 2019, 05:59:27 pm »

You can install the patch from here: https://github.com/opnsense/plugins/pull/1284/files

opnsense-patch -c plugins 7ed13346710a56ec504d114c102e34f7f4d35253

Oxima69 · « **Reply #3 on:** April 01, 2019, 09:52:37 am »

Great,
it works.

Oxima69 · « **Reply #4 on:** April 01, 2019, 09:59:25 am »

maybe in this context.
there is a little cosmetic error.

when activating the security headers.
you have 2 entries of

proxy_hide_header Strict-Transport-Security;

fabian · « **Reply #5 on:** April 01, 2019, 09:44:52 pm »

Oxima69 · « **Reply #6 on:** April 02, 2019, 12:31:16 pm »

Great,
it works.

fabian · « **Reply #7 on:** April 02, 2019, 06:02:28 pm »

Good to know that it works. Will be in the next release.