• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Nginx: Is it fine to use "Strict-Transport-Security" on HTTP / port 80 block?

RoldanLT

Well-known member
#1
I mean this:
Code:
# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
  # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
Usually it is use on https / port 443 block.

I just switch back from HTTPS to HTTP only last month.
Now I want to clear up all browser cache for old visitors and always use HTTP only.
 

RoldanLT

Well-known member
#2
Never mind:
Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header.