From 7c9e1ecfd1049cc0c5d33de5b8320184478ed8e2 Mon Sep 17 00:00:00 2001
From: wolegis <archlinux@zendro.de>
Date: Tue, 25 Jun 2024 17:45:35 +0200
Subject: [PATCH 1/2] enable HSTS

according to Nginx' documentation
http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
add_header settings are inherited to deeper nested server or location blocks
only if these deeper blocks do not contain their own add_header statements. In
our case the relevant block has indeed its own add_header statements. Thus the
HSTS settings from Nginx' main configuration file are not inherited and need to
be reproduced.
---
 admin_manual/installation/nginx-root.conf.sample   | 3 +++
 admin_manual/installation/nginx-subdir.conf.sample | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/admin_manual/installation/nginx-root.conf.sample b/admin_manual/installation/nginx-root.conf.sample
index fd8e8fe9ded..d663929bff5 100644
--- a/admin_manual/installation/nginx-root.conf.sample
+++ b/admin_manual/installation/nginx-root.conf.sample
@@ -38,6 +38,9 @@ server {
     server_tokens off;
 
     # HSTS settings
+    # although already present in main configuration file this must be reproduced here
+    # (see http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header)
+    add_header Strict-Transport-Security "max-age=15768000" always;
     # WARNING: Only add the preload option once you read about
     # the consequences in https://hstspreload.org/. This option
     # will add the domain to a hardcoded list that is shipped
diff --git a/admin_manual/installation/nginx-subdir.conf.sample b/admin_manual/installation/nginx-subdir.conf.sample
index bbfbae2d885..82dcb648718 100644
--- a/admin_manual/installation/nginx-subdir.conf.sample
+++ b/admin_manual/installation/nginx-subdir.conf.sample
@@ -94,6 +94,9 @@ server {
         client_body_buffer_size 512k;
 
         # HSTS settings
+        # although already present in main configuration file this must be reproduced here
+        # (see http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header)
+        add_header Strict-Transport-Security "max-age=15768000" always;
         # WARNING: Only add the preload option once you read about
         # the consequences in https://hstspreload.org/. This option
         # will add the domain to a hardcoded list that is shipped

From f4451b2b039c6c90f0da51cca2778f8231de81da Mon Sep 17 00:00:00 2001
From: wolegis <archlinux@zendro.de>
Date: Wed, 3 Jul 2024 09:48:06 +0200
Subject: [PATCH 2/2] improved comments regarding HSTS

Signed-off-by: wolegis <archlinux@zendro.de>
---
 admin_manual/installation/nginx-root.conf.sample   | 6 ++++--
 admin_manual/installation/nginx-subdir.conf.sample | 8 +++++---
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/admin_manual/installation/nginx-root.conf.sample b/admin_manual/installation/nginx-root.conf.sample
index d663929bff5..1dc0ba3ec06 100644
--- a/admin_manual/installation/nginx-root.conf.sample
+++ b/admin_manual/installation/nginx-root.conf.sample
@@ -38,8 +38,10 @@ server {
     server_tokens off;
 
     # HSTS settings
-    # although already present in main configuration file this must be reproduced here
-    # (see http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header)
+    # the following two add_header statements are alternatives
+    # although already present in main configuration file this must be
+    # reproduced here (see
+    # http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header)
     add_header Strict-Transport-Security "max-age=15768000" always;
     # WARNING: Only add the preload option once you read about
     # the consequences in https://hstspreload.org/. This option
diff --git a/admin_manual/installation/nginx-subdir.conf.sample b/admin_manual/installation/nginx-subdir.conf.sample
index 82dcb648718..c3670791134 100644
--- a/admin_manual/installation/nginx-subdir.conf.sample
+++ b/admin_manual/installation/nginx-subdir.conf.sample
@@ -94,15 +94,17 @@ server {
         client_body_buffer_size 512k;
 
         # HSTS settings
-        # although already present in main configuration file this must be reproduced here
-        # (see http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header)
+        # the following two add_header statements are alternatives
+        # although already present in main configuration file this must be
+        # reproduced here (see
+        # http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header)
         add_header Strict-Transport-Security "max-age=15768000" always;
         # WARNING: Only add the preload option once you read about
         # the consequences in https://hstspreload.org/. This option
         # will add the domain to a hardcoded list that is shipped
         # in all major browsers and getting removed from this list
         # could take several months.
-        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
 
         # HTTP response headers borrowed from Nextcloud `.htaccess`
         add_header Referrer-Policy                   "no-referrer"       always;