AnsweredAssumed Answered

quirk in nginx HSTS configuration

Question asked by Joseph Hall on Mar 31, 2015
Latest reply on Apr 1, 2015 by Joseph Hall

Hi everyone,

 

We just started serving the HSTS header at cdt.org. woo!

 

However, something is bugging me and I'm not sure if it will have an operational impact. Any help in fixing it or things that you might know will break would be helpful.

 

When I pull the headers we are serving:

 

%curl -I https://cdt.org

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 31 Mar 2015 20:42:33 GMT

Content-Type: text/html; charset=UTF-8

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.10-1ubuntu3.11

X-Pingback: https://cdt.org/wp/xmlrpc.php

Link: <https://cdt.org/>; rel=shortlink

Strict-Transport-Security:: max-age=31536000; includeSubDomains; preload


Things look pretty good... except for the STS header which has two colons instead of just one. That is, where it says "Strict-Transport-Security::" I expect to see "Strict-Transport-Security:".


We're adding this the usual nginx way by putting the following in the server block:


add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload”;

 

Which indicates that we're not adding the double colon on purpose or on accident. Running the configuration test ('/etc/init.d/nginx configtest') says it's ok.

 

Anyway, I'd love to get rid of those two colons and replace with one. The current SSL Labs server test for us reports HSTS with a long life time, so that tool sees it... (although we get an F for an older version of OpenSSL, working on it). But I'm not sure if that double colon might break other things thought.

 

thanks, Joe

Outcomes