Nginx: Is it fine to use "Strict-Transport-Security" on HTTP / port 80 block?

R

rdn

Well-known member
I mean this:
Code: 
# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
  # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

Usually it is use on https / port 443 block.

I just switch back from HTTPS to HTTP only last month.
Now I want to clear up all browser cache for old visitors and always use HTTP only.
 
Never mind:
Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header.
Click to expand...
 
You must log in or register to reply here.

Similar threads

gldtn
Redirection on inline moderation
Replies
4
Views
541
specials
S
Skyrider
Help Setting up xenforo with LXD/C containers using nginx proxy
Replies
5
Views
1K
Skyrider
Skyrider
H
Settings to Optimize Page Loading Speed
Replies
15
Views
5K
RaptureForums
RaptureForums
Nirjonadda
  • Question Question
XF 2.0 HTTP Security Headers
Replies
17
Views
4K
Nirjonadda
Nirjonadda
S
  • Question Question
XF 2.0 Can not access payment_callback.php
Replies
1
Views
1K
Sp4x
S
Top Bottom