0
0
Nginxdevops~5 mins

HSTS header in Nginx - Cheat Sheet & Quick Revision

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Recall & Review
beginner
What does HSTS stand for and what is its main purpose?
HSTS stands for HTTP Strict Transport Security. Its main purpose is to tell browsers to only connect to a website using HTTPS, improving security by preventing insecure HTTP connections.
Click to reveal answer
beginner
How do you enable HSTS in an nginx server configuration?
You add the header Strict-Transport-Security in the server block for HTTPS, for example: <br>
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Click to reveal answer
beginner
What does the max-age directive in the HSTS header control?
The max-age directive sets how long (in seconds) the browser should remember to only use HTTPS for the site. For example, max-age=31536000 means 1 year.
Click to reveal answer
intermediate
What is the effect of adding includeSubDomains in the HSTS header?
Adding includeSubDomains tells browsers to apply the HSTS policy to all subdomains of the site, not just the main domain.
Click to reveal answer
intermediate
Why should the HSTS header be sent only over HTTPS connections?
Because HSTS tells browsers to only use HTTPS, sending it over HTTP would be insecure and could allow attackers to intercept or strip the header.
Click to reveal answer
What is the correct nginx directive to add the HSTS header?
Aadd_header HSTS "max-age=31536000; includeSubDomains";
Bset_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
Cheader_add Strict-Transport-Security "max-age=31536000; includeSubDomains";
Dadd_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
What does the max-age value in the HSTS header represent?
AThe number of subdomains to include
BThe number of seconds the browser should enforce HTTPS only
CThe number of requests allowed over HTTP
DThe timeout for HTTPS connections
Why is it important to include includeSubDomains in the HSTS header?
ATo apply HSTS policy to all subdomains as well
BTo exclude subdomains from HSTS
CTo enable HTTP connections on subdomains
DTo disable HTTPS on subdomains
What happens if you send the HSTS header over an HTTP connection?
AIt can be intercepted or stripped by attackers
BIt forces the browser to use HTTPS immediately
CIt disables HTTPS for the site
DIt has no effect
Which of these is a valid HSTS header value?
A"max-age=31536000; excludeSubDomains"
B"max-age=one year; includeSubDomains"
C"max-age=31536000; includeSubDomains"
D"max-age=0; includeSubDomains"
Explain how to configure the HSTS header in nginx and why it is important.
Think about telling browsers to always use HTTPS and how nginx sends headers.
You got /5 concepts.
    Describe the risks of not using HSTS on a website that supports HTTPS.
    Consider what happens if browsers are allowed to connect over HTTP.
    You got /4 concepts.