Receiving 2 strict-transport-security headers with different times

deltaxfx nginx-forum at
Sun Feb 8 01:08:12 UTC 2015

I have a domain setup with SSL and I am trying to get HSTS headers working.
I have done this in NGINX before with no problem. On this new domain I can't
seem to get HSTS working properly. Not sure what I am doing wrong. 
I have the following in the server block for the SSL server:
add_header Strict-Transport-Security "max-age=31536000;";

When I run "curl -s -D- | grep Strict"
I receive the following:
Strict-Transport-Security: max-age=0
Strict-Transport-Security: max-age=31536000;

>From all the reading I've done trying to figure this out, my impression is
that with the add_header in the server directive, that will override any
previous declaration (there are none). Is that correct?
I grep'ed my entire /etc directory and there is only one instance of
"max-age" and that is in my ssl server config, with one year (31536000
seconds). So no where on this system, which was just built, and only
accessed by me, is there any reference to HSTS with max-age=0. There is only
one config in sites-enabled, and that is for There is a port
80 config with a return 301 statement to permanently redirect to the SSL
server config. 

My nginx version is 1.6.2, on Ubuntu 14.04 LTS. 
I have been unable to find any help on the web for where the invalid
(max-age=0) could be coming from. When testing on ssllabs they report the
max-age=0 header. When running the curl statement above on my local network
I show the above output. 

I'm not sure where to go from here trying to figure this out. There is
nothing in the NGINX error log, I wouldn't expect anything as NGINX restarts
with no issues. 

Thanks for reading!

Posted at Nginx Forum:,256508,256508#msg-256508

More information about the nginx mailing list