Open wolegis opened 1 week ago
@wolegis Thank you! But could you please sign off your commit? (git commit --amend -s
)
The HSTS header config is now included twice. I see no difference between both versions and HSTS should not be enabled by default in my opinion. Enabling it has severe implications and should be considered thoroughly.
The two add_header
statements in the cited block are alternatives. Probably, the comments should emphasize this fact.
IMHO, HSTS in itself is desirable. The problematic part is preload
and the comment pretty clearly indicates the implications.
I've improved the comments (and additionally signed off the latest commit).
according to Nginx' documentation
add_header
settings are inherited to deeper nested server or location blocks only if these deeper blocks do not contain their ownadd_header
statements. In our case the relevant block has indeed its ownadd_header
statements. Thus the HSTS settings from Nginx' main configuration file are not inherited and need to be reproduced.