Receiving 2 strict-transport-security headers with different times

NitrouZ dewanggaba at xtremenitro.org
Sun Feb 8 04:06:20 UTC 2015


I've got same experience with Laravel framework. They have another
configuration to set header like that.

What web apps framework do you use?

On Sunday, February 8, 2015, deltaxfx <nginx-forum at nginx.us> wrote:

> I have a domain setup with SSL and I am trying to get HSTS headers working.
> I have done this in NGINX before with no problem. On this new domain I
> can't
> seem to get HSTS working properly. Not sure what I am doing wrong.
> I have the following in the server block for the SSL server:
> add_header Strict-Transport-Security "max-age=31536000;";
>
> When I run "curl -s -D- https://my.domain.net/ | grep Strict"
> I receive the following:
> Strict-Transport-Security: max-age=0
> Strict-Transport-Security: max-age=31536000;
>
> From all the reading I've done trying to figure this out, my impression is
> that with the add_header in the server directive, that will override any
> previous declaration (there are none). Is that correct?
> I grep'ed my entire /etc directory and there is only one instance of
> "max-age" and that is in my ssl server config, with one year (31536000
> seconds). So no where on this system, which was just built, and only
> accessed by me, is there any reference to HSTS with max-age=0. There is
> only
> one config in sites-enabled, and that is for my.domain.net. There is a
> port
> 80 config with a return 301 statement to permanently redirect to the SSL
> server config.
>
> My nginx version is 1.6.2, on Ubuntu 14.04 LTS.
> I have been unable to find any help on the web for where the invalid
> (max-age=0) could be coming from. When testing on ssllabs they report the
> max-age=0 header. When running the curl statement above on my local network
> I show the above output.
>
> I'm not sure where to go from here trying to figure this out. There is
> nothing in the NGINX error log, I wouldn't expect anything as NGINX
> restarts
> with no issues.
>
> Thanks for reading!
>
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,256508,256508#msg-256508
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org <javascript:;>
> http://mailman.nginx.org/mailman/listinfo/nginx
>


-- 
Sent from iDewangga Device
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20150208/8630a088/attachment.html>


More information about the nginx mailing list