HSTS and X-Frame-Options

Some Developer someukdeveloper at gmail.com
Thu Jul 11 11:25:35 UTC 2013


I've just enabled HSTS and X-Frame Options in my nginx configuration 
(1.2.9) and was wondering if I have done it correctly.

Currently my site has 4 server blocks.

One to redirect domain.com to https://www.domain.com

One to redirect www.domain.com to https://www.domain.com

One to redirect https://domain.com to https://www.domain.com

And finally the main one for https://www.domain.com

I've added the following two lines to the final server block:

|add_header Strict-Transport-Security max-age=63072000;|

|add_header X-Frame-Options DENY;

Do I need to add them to any of the other server blocks or is my current configuration
correct? If there are any other improvements to be made I'd be more than happy to hear about them.


More information about the nginx mailing list