0
0
Nginxdevops~20 mins

HSTS header in Nginx - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
HSTS Header Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
💻 Command Output
intermediate
2:00remaining
What is the effect of this nginx HSTS header configuration?
Given this nginx configuration snippet, what will be the exact HTTP response header sent to clients?
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
AStrict-Transport-Security: max-age=0
BStrict-Transport-Security: max-age=31536000
CStrict-Transport-Security: max-age=31536000; includeSubDomains
DStrict-Transport-Security: max-age=31536000; preload
Attempts:
2 left
💡 Hint
Look carefully at the exact string inside the quotes in the add_header directive.
Configuration
intermediate
2:00remaining
Which nginx config disables HSTS completely?
You want to disable HSTS on your nginx server. Which configuration line will remove the Strict-Transport-Security header from responses?
Aadd_header Strict-Transport-Security "max-age=0" always;
Badd_header Strict-Transport-Security "" always;
Cadd_header Strict-Transport-Security "max-age=31536000" always;
Dremove_header Strict-Transport-Security;
Attempts:
2 left
💡 Hint
Setting max-age to zero tells browsers to stop enforcing HSTS.
Troubleshoot
advanced
2:00remaining
Why is HSTS header missing despite nginx config?
You configured nginx with:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

But the header is missing in HTTP responses. What is the most likely cause?
AThe server firewall blocks the Strict-Transport-Security header.
BThe add_header directive syntax is incorrect and causes nginx to ignore it.
CThe browser is caching old responses without the header.
DThe site is accessed over HTTP, not HTTPS, so HSTS header is not sent.
Attempts:
2 left
💡 Hint
HSTS only applies to secure HTTPS connections.
Best Practice
advanced
2:00remaining
What is the recommended minimum max-age value for HSTS in production?
For strong security, what is the recommended minimum max-age value (in seconds) to set in the Strict-Transport-Security header?
A86400 (1 day)
B31536000 (1 year)
C2592000 (30 days)
D0 (disable HSTS)
Attempts:
2 left
💡 Hint
Longer max-age values enforce HSTS for longer periods.
🧠 Conceptual
expert
2:00remaining
What risk does missing 'includeSubDomains' in HSTS header pose?
If your nginx HSTS header is:
Strict-Transport-Security: max-age=31536000

but does NOT include 'includeSubDomains', what is the main security risk?
ASubdomains can still be accessed over HTTP, allowing man-in-the-middle attacks.
BBrowsers will ignore the HSTS header completely.
CThe max-age value will be treated as zero by browsers.
DThe server will reject HTTPS connections on subdomains.
Attempts:
2 left
💡 Hint
Consider how HSTS applies to subdomains when 'includeSubDomains' is missing.