NGINX HSTS Header

HTTP Strict Transport Security (HSTS) protects against HTTP downgrade attacks by forcing browsers to only make secure connections with your domain. Adding NGINX HSTS is similar to and designed to work with SSL redirects. The HSTS header embeds the redirect code within the user’s web browser. The security HTTP header is supported by the most popular web browsers today, including the KaiOS browser.

Implementing the NGINX HSTS header prevents users from overriding invalid or self-signed certificate warnings. Your website will become inaccessible without a valid SSL certificate.

This is the most secure HSTS header with every directive enabled:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Let’s break down each directive of the HSTS header.

max-age: Specifies how long the header will be active in seconds. This is the only required directive. This must be set to “31536000” to be eligible for HSTS preloading.

includeSubDomains: Applies HSTS to all subdomains. If you add this optional directive, you’ll need to ensure any subdomains used for development and staging purposes have valid SSLs installed.

Preload: Authorizes preload listing in web browsers if eligible. By default, the user must visit your website for the browser to save the header for subsequent visits. That means the user is still vulnerable to HTTP downgrade attacks upon the first visit. To account for this, popular browsers ship with a text file containing every domain submitted to “preload” the HSTS header. 

Preloading is a two-step process. First you must add “preload” to your HSTS header. The max-age must comply with current standards as well. Then, you must submit your domain at https://hstspreload.org.

Preloading is most beneficial for larger businesses that have the ability to ensure the domain (and subdomains if applicable) always have a valid SSL. It can take up to six months for a submitted domain to be added to the preload list. It can take even longer to remove it between email inquiries and updates to supported browsers.

Note: You must be on a VPS or Dedicated server to complete the steps in this guide.

Adding NGINX HSTS in SSH

After you log into SSH, edit the NGINX server configuration file for the domain. If you only have one domain on the server, edit the default NGINX configuration file:

sudo nano /etc/nginx/sites-enabled/default

Add the following line directly under the “listen” lines (remove “; preload” if not needed):

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Remember, the max-age must be at least 1 year (31536000 seconds) for HSTS preloading.

Here’s an example of the how this might look in your configuration file:

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

After you save your changes, restart NGINX:

systemctl restart nginx

Check your server HTTP headers.

curl --head localhost

The HSTS header should display near the bottom.

HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Thu, 09 Dec 2021 16:28:01 GMT
Content-Type: text/html
Content-Length: 10701
Last-Modified: Tue, 03 Aug 2021 14:28:03 GMT
Connection: keep-alive
ETag: "00000000-12ab"
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Accept-Ranges: bytes

If you have to clear system caching and want to double-check from a PC, you can use wget which will follow any redirects automatically:

wget --server-response --spider example.com

Want to learn more about hardening your NGINX web server? Check out our guide on how to hide your NGINX server version.