HSTS when having 301 redirects

[markku]

With the following 301 redirects:

• http://example.com -> https://www.example.com
• http://www.example.com -> https://www.example.com
• https://example.com -> https://www.example.com

Should I put HSTS only in https://www.example.com block in nginx or in both https://example.com and https://www.example.com?

Google writes:
"If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (not the page it redirects to)."

But I don't fully understand that. Does that mean that since https://example.com redirects to https://www.example.com, https://example.com should have HSTS?

But why does it say "not the page it redirects to"?

Confused! Thanks for any help.

 

[Nuno]

Should I put HSTS only in https://www.example.com block in nginx or in both https://example.com and https://www.example.com?

You should place HSTS in the final domain only.

 

[rdn]

Based on this statement:

Google writes:
"If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (not the page it redirects to)."

HSTS should be:

in both https://example.com and https://www.example.com?