How to configure HSTS header?

hyj1116 · March 27, 2023, 9:08am

I found out that the HSTS header can be added in the /etc/gitlab/gitlab.rb with the following command:

nginx['custom_gitlab_server_config'] = "add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload;' always;"

But there is a defualt HSTS header added in the /var/otp/gitlab/nginx/conf/gitlab-http.conf as follows:

add-heaer Strict-Transport-Security "max-age=63072000";

When both commands are added, there are 2 HSTS header displayed in the Analyse your HTTP response headers (securityheaders.com).

If I modify the /var/opt/gitlab/nginx/conf/gitlab-http.conf to add_header Strict-Transport-Security ‘max-age=31536000; includeSubDomains; preload;’ always;, it still shows add-heaer Strict-Transport-Security “max-age=63072000”; after executing gitlab-ctl reconfigure.

How to have only one HSTS header?

iwalker · March 27, 2023, 10:36am

Hi,

You most likely want this: Configure SSL for a Linux package installation | GitLab

By default the values are in gitlab.rb like this:

# nginx['hsts_max_age'] = 63072000
# nginx['hsts_include_subdomains'] = false

As per the docs, if you set hsts_max_age to 0 then it will not use those settings:

at which point you can use your custom settings and in theory should only have one header.