Nginx - enable HTTP Strict Transport Security

fjordithenry · July 24, 2019, 3:16pm

Hi All,

I’ve trying to configure my gitlab.rb to enable HTTP Strict Transport Security to includeSubDomain. When i copy and comment out the header below, i get the following error that the syntax is incorrect. On the error message, there’s an arrow pointing to the " sign above ‘max age’. Does anyone know the correct syntax or line I should be using to enable this security header?

[Optional] Enable HTTP Strict Transport Security

## HSTS is a feature improving protection against MITM attacks

## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/

add_header Strict-Transport-Security “max-age=31536000” “includeSubDomains”;

There was an error running gitlab-ctl reconfigure:
/etc/gitlab/gitlab.rb:346: syntax error, unexpected tSTRING_BEG, expecting keyword_do or ‘{’ or ‘(’
…der Strict-Transport-Security “max-age=31536000” "includeSub…

hyj1116 · March 27, 2023, 6:25am

Maybe you can try this command:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Topic		Replies	Views
How to configure HSTS header? Self-managed security	1	3280	March 27, 2023
Adding headers to omnibus package Gitlab-ee How to Use GitLab	0	870	June 11, 2019
Tenable / Nessus Plugin 84502: HSTS Missing From HTTPS Server GitLab Government User Group security	0	1022	May 11, 2023
Gitlab Omnibus using https without domain name How to Use GitLab	2	3736	June 13, 2016
GitLab http worked fine on reverse proxy, but not +SSL How to Use GitLab	0	1601	June 29, 2017

Nginx - enable HTTP Strict Transport Security

[Optional] Enable HTTP Strict Transport Security

## HSTS is a feature improving protection against MITM attacks

## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/

Related topics