Remove includeSubdomains from HSTS header
includeSubdomains can lead to issues where not all subdomains are able to use HTTPS. This options might be too strict for the general case: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security. It can be re-enabled w/ a custom template if needed. Fixes #109
This commit is contained in:
Jason Wilder
parent
879bb59d90
commit
4a99ac5548
1 changed files with 1 additions and 1 deletions
|
|
@ -105,7 +105,7 @@ server {
|
|||
ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
|
||||
ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
|
||||
add_header Strict-Transport-Security "max-age=31536000";
|
||||
|
||||
{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
|
||||
include {{ printf "/etc/nginx/vhost.d/%s" $host }};
|
||||
|
|
|
|||
Reference in a new issue