0

I recently added https support to my site with nginx reverse proxy.

I do not have add_header Strict-Transport-Security ... line in my config. Even then, I see Strict-Transport-Security: max-age=86400 in response header.

If I add add_header Strict-Transport-Security "max-age=0; includeSubDomains"; in my config, I get two headers in response!!:

HTTP/1.1 200 OK
* Server nginx/1.11.12 is not blacklisted
Server: nginx/1.11.12
Date: Fri, 07 Apr 2017 11:46:50 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 37
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization, Content-Length, X-Requested-With
X-DNS-Prefetch-Control: off
X-Frame-Options: DENY
Strict-Transport-Security: max-age=86400
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Surrogate-Control: no-store
Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
Pragma: no-cache
Expires: 0
Vary: Accept-Encoding
Strict-Transport-Security: max-age=0; includeSubDomains

How do I fix this?

user2313067
  • 2,475
  • 1
  • 14
  • 14
Urmil Parikh
  • 111
  • 1
  • 3
  • Have you checked all nginx config files? Final configuration is usually merged from several. Try running `grep -r 'Strict-Transport-Security'` from `/etc/nginx/` folder. Check also in `/usr/local/nginx` if it exists. – Marek Rost Apr 07 '17 at 13:46
  • Also, welcome to SuperUser :] – Marek Rost Apr 07 '17 at 13:47

1 Answers1

1

Oh, it was my application server that emitted the first header when it found itself on secure connection.

Anybody using helmet plugin, refer this to manage it in your app.

Urmil Parikh
  • 111
  • 1
  • 3