Server provided more than one HSTS header

After investigating this result in SSLLABS, “Invalid: Server provided more than one HSTS header”, I discovered that my new install is indeed sending two HSTS headers.

curl -I https://mydomain.com/ | grep -i Strict

strict-transport-security: max-age=63072000; includeSubDomains
strict-transport-security: max-age=31536000

A quick search revealed that this issue was mentioned back in 2017 but I don’t see anything recent. The “max-age=31536000” header is coming from nginx but I’m not sure where the other is coming from. Any help resolving this up would be greatly appreciated.

This solution was provided via GitHub and they will fix it in a future release. Lines marked with - are to be removed and lines with + added.

https://github.com/mastodon/mastodon/issues/17083#issuecomment-985522616

diff --git a/dist/nginx.conf b/dist/nginx.conf
index 27ca868ab..1de5ecdcb 100644
--- a/dist/nginx.conf
+++ b/dist/nginx.conf
@@ -52,21 +52,19 @@ server {
   gzip_http_version 1.1;
   gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
 
-  add_header Strict-Transport-Security "max-age=31536000" always;
-
   location / {
     try_files $uri @proxy;
   }
 
   location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
     add_header Cache-Control "public, max-age=31536000, immutable";
-    add_header Strict-Transport-Security "max-age=31536000" always;
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
     try_files $uri @proxy;
   }
 
   location /sw.js {
     add_header Cache-Control "public, max-age=0";
-    add_header Strict-Transport-Security "max-age=31536000" always;
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
     try_files $uri @proxy;
   }
 
@@ -90,7 +88,6 @@ server {
     proxy_cache_valid 410 24h;
     proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
     add_header X-Cached $upstream_cache_status;
-    add_header Strict-Transport-Security "max-age=31536000" always;
 
     tcp_nodelay on;
   }

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.