susnux
commented
3 days ago @wolegis Thank you! But could you please sign off your commit? (git commit --amend -s)
Open wolegis opened 1 week ago
susnux
commented
3 days ago @wolegis Thank you! But could you please sign off your commit? (git commit --amend -s)
wolegis
commented
2 days ago The HSTS header config is now included twice. I see no difference between both versions and HSTS should not be enabled by default in my opinion. Enabling it has severe implications and should be considered thoroughly.
The two add_header statements in the cited block are alternatives. Probably, the comments should emphasize this fact.
IMHO, HSTS in itself is desirable. The problematic part is preload and the comment pretty clearly indicates the implications.
wolegis
commented
2 days ago I've improved the comments (and additionally signed off the latest commit).
according to Nginx' documentation
add_headersettings are inherited to deeper nested server or location blocks only if these deeper blocks do not contain their ownadd_headerstatements. In our case the relevant block has indeed its ownadd_headerstatements. Thus the HSTS settings from Nginx' main configuration file are not inherited and need to be reproduced.