Eric Rosenberry

HSTS header not being set by NGINX on error

Discussion created by Eric Rosenberry on May 26, 2017
Latest reply on May 29, 2017 by Ivan Ristić

I am posting this here just to document this in the public space since some of the SSL Labs folks helped me with it offline and I wanted to make sure the information shared was publicly indexed.

 

I have a web site that is publicly accessible and has HSTS headers enabled (using NGINX to insert them).  This works great and the SSL Labs tool properly shows HSTS as being enabled.  I then also have another version of this site that has basic authentication enabled since it is the development version of the site.  When testing against this development site SSL Labs shows that HSTS is not enabled.

 

It would appear that the issue is due to NGINX not inserting that header on the error it returns when you curl without the username/password being sent.

 

I have asked for perhaps an enhancement to the tool such that it shows when the HSTS test gets an error (vs. a successful page load).

 

Header add Strict-Transport-Security "max-age=15768000"
SSLEngine on
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3
SSLCompression Off

 

$ curl -I https://foo.example.com
HTTP/1.1 401 Unauthorized
Date: Fri, 26 May 2017 16:45:46 GMT
Server: Apache
WWW-Authenticate: Basic realm="Please Log In"
Content-Type: text/html; charset=iso-8859-1

 

Also, the SSL Labs folks were kind enough to point out that we should be doing something different with our HSTS header - so it is always sent on all responses.  I am quoting them here so that their useful response is Googleable.  I am going to add this directive now!

 

"We agree it would be useful to have a notice that the server responded with an unusual error code. That said, technically, you should be sending the HSTS header on all web server responses.

Modern Nginx has a setting that configures it to send headers non non-200 responses:

http://nginx.org/en/docs/http/ngx_http_headers_module.html

You need to add the "always" directive.

You're probably not going to meaningfully improve your security by doing this, but it's a useful thing to know."

 

Thanks to qualys and the folks at SSL Labs for making this great tool freely available!

 

-Eric

Outcomes