diff --git a/admin_manual/installation/nginx-root.conf.sample b/admin_manual/installation/nginx-root.conf.sample index fd8e8fe9ded..1dc0ba3ec06 100644 --- a/admin_manual/installation/nginx-root.conf.sample +++ b/admin_manual/installation/nginx-root.conf.sample @@ -38,6 +38,11 @@ server { server_tokens off; # HSTS settings + # the following two add_header statements are alternatives + # although already present in main configuration file this must be + # reproduced here (see + # http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header) + add_header Strict-Transport-Security "max-age=15768000" always; # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped diff --git a/admin_manual/installation/nginx-subdir.conf.sample b/admin_manual/installation/nginx-subdir.conf.sample index bbfbae2d885..c3670791134 100644 --- a/admin_manual/installation/nginx-subdir.conf.sample +++ b/admin_manual/installation/nginx-subdir.conf.sample @@ -94,12 +94,17 @@ server { client_body_buffer_size 512k; # HSTS settings + # the following two add_header statements are alternatives + # although already present in main configuration file this must be + # reproduced here (see + # http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header) + add_header Strict-Transport-Security "max-age=15768000" always; # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; # HTTP response headers borrowed from Nextcloud `.htaccess` add_header Referrer-Policy "no-referrer" always;