[Solved] Receiving 2 strict-transport-security headers with different times

deltaxfx nginx-forum at nginx.us
Sun Feb 8 04:42:11 UTC 2015

dewanggaba, your hint was correct. Even though I am using the NGINX config
supplied by ownCloud, there was still a setting in the admin panel to force
HTTPS, which also sends an HSTS header. But the kicker is, if force HTTPS
(in PHP) is set to off (and just forced through the server config), ownCloud
sends an HSTS header for max-age=0!
This is ownCloud 7.0.4 (stable).
Here is the relevant code in case it helps anyone who might be searching for
the same thing in the future:

public static function checkSSL() {
		// redirect to https site if configured
		if (\OC::$server->getSystemConfig()->getValue('forcessl', false)) {
			// Default HSTS policy
			$header = 'Strict-Transport-Security: max-age=31536000';
			// If SSL for subdomains is enabled add "; includeSubDomains" to the
false)) {
				$header .= '; includeSubDomains';
			ini_set('session.cookie_secure', 'on');
			if (OC_Request::serverProtocol() <> 'https' and !OC::$CLI) {
				$url = 'https://' . OC_Request::serverHost() .
				header("Location: $url");
		} else {
			// Invalidate HSTS headers
			if (OC_Request::serverProtocol() === 'https') {
				header('Strict-Transport-Security: max-age=0');

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,256508,256513#msg-256513

More information about the nginx mailing list