From 4a99ac554824cde8be34cc173abc7cf1ef69dd7a Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Sat, 28 Feb 2015 15:50:59 -0700 Subject: [PATCH] Remove includeSubdomains from HSTS header includeSubdomains can lead to issues where not all subdomains are able to use HTTPS. This options might be too strict for the general case: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security. It can be re-enabled w/ a custom template if needed. Fixes #109 --- nginx.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index fdb319c..446ec31 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -105,7 +105,7 @@ server { ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }}; ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }}; - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; + add_header Strict-Transport-Security "max-age=31536000"; {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} include {{ printf "/etc/nginx/vhost.d/%s" $host }};