
Thanks!
Hello Elvis!
Is ‘all the time’ set right?
Generally it’s used, generally it isn’t used.
For instance used on Apache however not on NGINX:
Apache
Header all the time set Strict-Transport-Safety “max-age=10886400; includeSubDomains”
NGINX
add_header Strict-Transport-Safety max-age=10886400;
Hello there,
The usual requires sending this header all the time, besides when the request is made to plain HTTP. This implies an HSTS Host returns the “Strict-Transport-Safety” HTTP response header area in its HTTP response messages despatched over safe transport. An HSTS Host MUST NOT embody the STS header area in HTTP responses conveyed over non-secure transport. ‘At all times’ implies that the header will probably be despatched even when the HTTP standing code is 4xx, or 5xx. So arguably, it needs to be set to all the time within the HTTPS blocks and never be set in HTTP blocks in any respect. Hopefully, that may assist. 🙂
Thanks for the reply Louis 🙂