Hi,<div><br></div><div>Glad to help.<span></span></div><div><br></div><div>Cheers.<br><br>On Sunday, February 8, 2015, deltaxfx <<a href="mailto:nginx-forum@nginx.us">nginx-forum@nginx.us</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">dewanggaba, your hint was correct. Even though I am using the NGINX config<br>
supplied by ownCloud, there was still a setting in the admin panel to force<br>
HTTPS, which also sends an HSTS header. But the kicker is, if force HTTPS<br>
(in PHP) is set to off (and just forced through the server config), ownCloud<br>
sends an HSTS header for max-age=0!<br>
This is ownCloud 7.0.4 (stable).<br>
Here is the relevant code in case it helps anyone who might be searching for<br>
the same thing in the future:<br>
<br>
<br>
public static function checkSSL() {<br>
                // redirect to https site if configured<br>
                if (\OC::$server->getSystemConfig()->getValue('forcessl', false)) {<br>
                        // Default HSTS policy<br>
                        $header = 'Strict-Transport-Security: max-age=31536000';<br>
                        // If SSL for subdomains is enabled add "; includeSubDomains" to the<br>
header<br>
                        if(\OC::$server->getSystemConfig()->getValue('forceSSLforSubdomains',<br>
false)) {<br>
                                $header .= '; includeSubDomains';<br>
                        }<br>
                        header($header);<br>
                        ini_set('session.cookie_secure', 'on');<br>
                        if (OC_Request::serverProtocol() <> 'https' and !OC::$CLI) {<br>
                                $url = 'https://' . OC_Request::serverHost() .<br>
OC_Request::requestUri();<br>
                                header("Location: $url");<br>
                                exit();<br>
                        }<br>
                } else {<br>
                        // Invalidate HSTS headers<br>
                        if (OC_Request::serverProtocol() === 'https') {<br>
                                header('Strict-Transport-Security: max-age=0');<br>
                        }<br>
                }<br>
        }<br>
<br>
Posted at Nginx Forum: <a href="http://forum.nginx.org/read.php?2,256508,256513#msg-256513" target="_blank">http://forum.nginx.org/read.php?2,256508,256513#msg-256513</a><br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="javascript:;" onclick="_e(event, 'cvml', 'nginx@nginx.org')">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</blockquote></div><br><br>-- <br>Sent from iDewangga Device<br>