nextcloud · wolegis · Jun 25, 2024 · Jul 3, 2024 · Jul 3, 2024
diff --git a/admin_manual/installation/nginx-root.conf.sample b/admin_manual/installation/nginx-root.conf.sample
@@ -38,6 +38,11 @@ server {
     server_tokens off;
 
     # HSTS settings
+    # the following two add_header statements are alternatives
+    # although already present in main configuration file this must be
+    # reproduced here (see
+    # http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header)
+    add_header Strict-Transport-Security "max-age=15768000" always;
     # WARNING: Only add the preload option once you read about
     # the consequences in https://hstspreload.org/. This option
     # will add the domain to a hardcoded list that is shipped

diff --git a/admin_manual/installation/nginx-subdir.conf.sample b/admin_manual/installation/nginx-subdir.conf.sample
@@ -94,12 +94,17 @@ server {
         client_body_buffer_size 512k;
 
         # HSTS settings
+        # the following two add_header statements are alternatives
+        # although already present in main configuration file this must be
+        # reproduced here (see
+        # http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header)
+        add_header Strict-Transport-Security "max-age=15768000" always;
         # WARNING: Only add the preload option once you read about
         # the consequences in https://hstspreload.org/. This option
         # will add the domain to a hardcoded list that is shipped
         # in all major browsers and getting removed from this list
         # could take several months.
-        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
 
         # HTTP response headers borrowed from Nextcloud `.htaccess`
         add_header Referrer-Policy                   "no-referrer"       always;