HSTS on subdomain ONLY on nginx

0
votes

I want to allow HSTS on SUBDOMAIN ONLY (test.example.com) on nginx and NOT ON DOMAIN, because I simply do not have any host linking to my original domain in my application (example.com), this means I only have dubdomains in my nginx configuration.

I tried to add the header in the directory as supposed:

server {
    listen 80;
    listen [::]:80;
    server_name test.example.com;
    add_header Strict-Transport-Security max-age=31536000;
....
....
}

but it didnt work.

What to do in this case? Am I not allowed to enable HSTS in case am not using direct domain access to my app? Or am I missing something?

nginx version: nginx/1.10.3 (Ubuntu)

1
ubuntunginxsubdomainhsts
What didn't work? Is the header added to the response headers?Richard Smith
@RichardSmith no it's still showing header max-age=0 in responseGhassan Zein
Why are you setting this in the port 80 HTTP server instead of the port 443 HTTPS server? HSTS should only be sent over HTTPS.Barry Pollard
@BarryPollard I put it anyways in 443 as well, but same result. Does HSTS have to work on DOMAIN first then on sub-domains? or I can allow it for subdomains directly without passing it to domain?Ghassan Zein
It can be allowed at sub domain or domain level.Barry Pollard

1 Answers

0
votes

Something like this would work:

http {
  index index.html;

  server {
    listen 80;
    listen [::]:80;
    server_name example.com test.example.com;
  }

  server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name example.com;
  }

  server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name test.example.com;
    add_header Strict-Transport-Security max-age=31536000;
  }
}

As the HSTS header is only given in the third server block it will only be sent when that server_name is matched. It will not be sent for the 1st (port 80) server block, nor the second domain (port 443) top level domain.

However this still does not answer why it still shows max-age=0 with your current config. That suggests something else is still setting this, and this may still be happening even with above config and override any of these settings. You need to find out what is setting that.