Nginxdevops~5 mins

HSTS header in Nginx - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Websites need to keep visitors safe by making sure browsers only use secure connections. The HSTS header tells browsers to always use HTTPS, preventing unsafe connections.

When you want to make sure visitors never connect to your site using HTTP by mistake.

When you want to protect users from attackers trying to intercept their data by forcing secure connections.

When you have recently switched your website to HTTPS and want browsers to remember this.

When you want to improve your website's security score and trustworthiness.

When you want to avoid mixed content warnings caused by loading some parts over HTTP.

Config File - nginx.conf

nginx.conf

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/ssl/certs/example.com.crt;
    ssl_certificate_key /etc/ssl/private/example.com.key;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    location / {
        root /var/www/html;
        index index.html;
    }
}

This configuration sets up an HTTPS server on port 443 for example.com.

The add_header Strict-Transport-Security line adds the HSTS header to tell browsers to only use HTTPS for the next year (31536000 seconds) and also apply this rule to all subdomains.

The always flag ensures the header is sent even on error responses.

Commands

Check the nginx configuration file for syntax errors before applying changes.

Terminal

sudo nginx -t

Expected OutputExpected

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful

Reload nginx to apply the new configuration without stopping the server.

Terminal

sudo systemctl reload nginx

Expected OutputExpected

No output (command runs silently)

Request the headers from the website to verify the HSTS header is present.

Terminal

curl -I https://example.com

Expected OutputExpected

HTTP/2 200 server: nginx strict-transport-security: max-age=31536000; includeSubDomains content-type: text/html

→

-I - Fetch only the HTTP headers without the body

Key Concept

If you remember nothing else from this pattern, remember: the HSTS header forces browsers to always use secure HTTPS connections to your site.

Common Mistakes

Adding the HSTS header only on HTTPS but not using the 'always' flag.

The header might not be sent on error pages, leaving some responses unprotected.

Use 'add_header Strict-Transport-Security ... always;' to ensure the header is sent on all responses.

Setting a very short max-age value like 0 or a few seconds.

Browsers won't remember the HTTPS-only rule long enough to protect users effectively.

Set max-age to at least 31536000 seconds (1 year) for strong protection.

Adding the HSTS header on HTTP (port 80) server blocks.

Browsers ignore HSTS headers on insecure HTTP connections; it must be sent only over HTTPS.

Add the HSTS header only in the HTTPS server block.

Summary

Add the HSTS header in the nginx HTTPS server block using 'add_header Strict-Transport-Security'.

Test the nginx configuration with 'nginx -t' before reloading to avoid errors.

Verify the header is sent by requesting headers with 'curl -I https://example.com'.