Last active
August 8, 2019 21:40
-
-
Save inetbiz/9712466 to your computer and use it in GitHub Desktop.
Lighttpd HSTS Configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server.modules += ( "mod_setenv" ) | |
$HTTP["scheme"] == "https" { | |
setenv.add-response-header = ("Strict-Transport-Security" => "max-age=31536000; includeSubDomains; preload") | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://hstspreload.org/ advises not to include preload in example configurations due to the difficulty to back out once a domain was included in the browsers' preload list. (Personally, I would also ask myself whether my domain is important enough to be rolled out to every browser in the world, or if my application is so security critical that this is appropriate. If I'm a bank, yes, sure, if I'm a blog, maybe not so much.)
Note that if you deploy mod_redirect e.g. to redirect from example.com to www.example.com, the list server.modules must contain mod_setenv BEFORE mod_redirect otherwise the header will not b e included in 301 responses, leaving example.com unprotected. (mentioned in https://redmine.lighttpd.net/issues/1895 and confirmed by my own tests with lighttpd 1.4.53) Line 1 would append mod_setenv to the end of the list.
Edit /etc/lighttpd/modules.conf (or other system-dependent location) and place 'mod_setenv' at the beginning of the server.modules list instead.