Send Strict-Transport-Security header in 401 response

Francis Daly francis at
Sun Jun 19 09:57:34 UTC 2016

On Sun, Jun 19, 2016 at 11:51:28AM +0200, Thomas Glanzmann wrote:

Hi there,

> I would like to send the header:
> add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
> Despite the 401 Unauthorized request. Is that possible?

That suggests that you can use an "always" parameter.

Is that appropriate in this case?

If not, then possibly the third-party "headers more" module may be useful.

Francis Daly        francis at

More information about the nginx mailing list