According to the MDN docs on HSTS[1], the Strict-Transport-Security header is ignored when sent over HTTP because an attacker could have modified it, and so it is redundant in this example.
Moving it to the HTTPS server block means that a user's browser will remember that it should only access the site over HTTPS after accessing the site over HTTPS the first time.
According to the MDN docs on HSTS[1], the
Strict-Transport-Securityheader is ignored when sent over HTTP because an attacker could have modified it, and so it is redundant in this example.Moving it to the HTTPS server block means that a user's browser will remember that it should only access the site over HTTPS after accessing the site over HTTPS the first time.
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#Description