HSTS Header "Strict-Transport-Security"

Hello together,

well i’ve got a problem.
Im using nginx as webserver and i get the warning message, that my HTTP-Header “Strict-Transport-Security” is not set to at least 15552000 seconds. But my nginx config look like this:

add_header Strict-Transport-Security “max-age=15768000; includeSubDomains; preload;” always;

so i think its correct but it dont work.
Do you got an idea?

Thanks in advance
Sascha Zänker

Hi @Zaenky

I’m not a nginx expert. But maybe this coud cause the issue…

### nheritance Rules for add_header Directives

NGINX configuration blocks inherit add_header directives from their enclosing blocks, so you just need to place the add_header directive in the top‑level server block. There’s one important exception: if a block includes an add_header directive itself, it does not inherit headers from enclosing blocks, and you need to redeclare all add_header directives:

https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/#Configuring-HSTS-in-NGINX-and-NGINX Plus

If this doesn’t solve your problem, please post your complete nginx config, maybe someone of the nginx users here will be able to help you…

Hey there,

well it was a Problem in Cloudflare. I configured the HSTS Header there and then after a few minutes it works.

1 Like