HSTS with canonical URL redirect in nginx

Question

I was using the nginx configuration taken from this post to implement redirect from http://(www.)example.com -> https://example.com:

server {
    server_name www.example.com example.com;
    return 301 https://example.com$request_uri;
}

server {
    listen 443 ssl;
    <possibly other ssl directives if you have a separate cert and key for www>
    server_name www.example.com;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    return 301 https://example.com$request_uri;
}

server {
    listen 443 ssl;
    ssl_certificate /path/to/server.cert;
    ssl_certificate_key /path/to/server.key;
    server_name example.com;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    <locations for processing requests>
}

I'd like to add HSTS to this, so am following the nginx documentation, which amounts to adding

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

to both SSL server blocks (as done above).

TLDR: Is the STS header in the second server block necessary?

However I was doing some reading around the topic, especially this blog post which seemed to think that:

...if your canonical URL is www.example.com, the includeSubDomains token will not protect example.com as this is not a subdomain of www.example.com. A solution is to make a request from www.example.com to an uncached resource on https:// example.com, e.g. a 1px image, and make sure that https:// example.com sets the HSTS header.

I guess this is correct, as if you go straight to canonical https://www.example.com then it will only protect http://*.www.example.com.

However this doesn't appear an issue if your canonical URL is https://example.com and you use includeSubDomains. I tested it on Chrome and it did the following http://www.example.com (307) -> https://www.example.com (301) -> https://example.com.

So is the Strict-Transport-Security header in the second listen 443 ssl www.example.com block necessary? As a direct request to https://www.example.com would be SSL anyway, and it would pick up the STS includeSubDomains header on redirect from the third server block, protecting http://www.example.com in the future.

score 1 · Accepted Answer · answered Dec 31 '17 at 13:02

1

Yes, it is preferred to have the STS header in both server blocks, for the reason you wrote in your question.

Looking at it the other way, there is no harm in specifying the header in the example.com server either.

answered Dec 31 '17 at 13:02

Tero Kilkanen

38,887

HSTS with canonical URL redirect in nginx

1 Answers1