HSTS and X-Frame-Options
someukdeveloper at gmail.com
Thu Jul 11 14:43:01 UTC 2013
On 11/07/13 12:25, Some Developer wrote:
> I've just enabled HSTS and X-Frame Options in my nginx configuration
> (1.2.9) and was wondering if I have done it correctly.
> Currently my site has 4 server blocks.
> One to redirect domain.com to https://www.domain.com
> One to redirect www.domain.com to https://www.domain.com
> One to redirect https://domain.com to https://www.domain.com
> And finally the main one for https://www.domain.com
> I've added the following two lines to the final server block:
> |add_header Strict-Transport-Security max-age=63072000;|
> |add_header X-Frame-Options DENY;
> Do I need to add them to any of the other server blocks or is my current
> correct? If there are any other improvements to be made I'd be more than
> happy to hear about them.
Hmm seems like my copy and paste job screwed with the text. These are
the actual lines:
add_header X-Frame-Options DENY;
add_header Strict-Transport-Security max-age=63072000;
More information about the nginx