How to Enable HTTP Strict Transport Security in Nginx

Originally posted on Monday, May 22, 2023 by Joshua James
Last Updated on Wednesday, January 17, 2024
Estimated reading time: 5 minutes
Enable HTTP Strict Transport Security (HSTS) in Nginx step by step.

This article will demonstrate how to enable HTTP Strict Transport Security in Nginx, complete with practical examples of Nginx configurations. Through these, you’ll gain a clear understanding of both the process and the benefits involved.

In the digital age, securing web traffic is paramount, and enabling HTTP Strict Transport Security in Nginx is a key step towards achieving this. HSTS, a security feature that enforces secure connections to the server, offers a robust defense against common vulnerabilities like man-in-the-middle attacks. This introduction delves into the world of HSTS in Nginx, underlining its features and advantages:

  • Enhanced Security: HSTS strengthens your website’s security by mandating HTTPS connections, preventing users from connecting via insecure HTTP.
  • Mitigation of Attacks: It plays a crucial role in mitigating attacks such as SSL stripping, where attackers downgrade a secure HTTPS connection to an insecure HTTP one.
  • SEO Advantages: Search engines often favor HTTPS-enabled sites, potentially boosting your site’s ranking.
  • User Trust: Implementing HSTS builds user trust by ensuring a consistently secure connection.
  • Compliance: For websites handling sensitive data, HSTS aids in meeting various compliance standards that mandate secure data transmission.

Embracing HSTS in Nginx is more than just a technical adjustment; it signifies a commitment to enhanced web security and user trust. In the upcoming sections, we’ll guide you through enabling HSTS, ensuring your website reaps these security benefits. Let’s dive into the specifics of enabling HSTS in Nginx, moving towards a more secure and trusted web presence.

Implementing HTTP Strict Transport Security in NGINX

Step 1: Backup NGINX Configuration for HSTS Setup

Before activating HTTP Strict Transport Security (HSTS) in NGINX, it’s critical to back up your current NGINX configuration. This precautionary measure ensures that you can revert to the original settings if the need arises. To create a backup, use the following command:

sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup

This command effectively creates a backup of your NGINX configuration, safeguarding your original settings.

Step 2: Access and Edit NGINX Configuration for HSTS

To integrate HSTS, access your NGINX configuration file with a text editor. Open the configuration file with this command:

sudo nano /etc/nginx/nginx.conf

Feel free to substitute ‘nano’ with your preferred text editor. Accurate editing of this file is crucial for the successful implementation of HSTS.

Step 3: Integrating HSTS into NGINX Server Block

In this crucial step, navigate to the server block in your NGINX configuration file. Here, you’ll include the HSTS directive:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

This line achieves two objectives:

  1. Setting Max-Age: It establishes a one-year duration (31536000 seconds) for browsers to remember and enforce this security setting.
  2. Applying to Subdomains: The ‘includeSubDomains’ directive extends HSTS protection to all subdomains under your server.

Step 4: Employing HSTS Preload for Enhanced Security

For advanced security, you can opt to add the preload directive:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Inclusion of ‘preload’ in your HSTS settings indicates your willingness to have your site listed on the HSTS preload list. This list, maintained by browsers, ensures HTTPS is enforced from the first user interaction, further bolstering security.

Step 5: Validating and Saving NGINX Configuration

After configuring HSTS, validate your changes for any syntax errors:

sudo nginx -t

This command conducts a syntax check, ensuring that your new settings are error-free and ready for deployment.

Step 6: Restarting NGINX to Activate HSTS

To finalize the HSTS implementation, restart your NGINX server:

sudo systemctl restart nginx

This command triggers the application of your new HSTS settings, enhancing the security of your NGINX server.

Verifying HTTP Strict Transport Security in NGINX

Testing HSTS Implementation with cURL Command

After setting up HTTP Strict Transport Security (HSTS) on your NGINX server, it’s crucial to verify its correct implementation. A practical and straightforward method is to use the curl command-line tool. This tool allows you to check the HTTP headers of your site and confirm the presence of the HSTS policy.

Step 1: Proceed with the HSTS curl test command:

Execute the following curl command:

curl -I https://yourdomain.com

Be sure to replace yourdomain.com with the actual domain name of your website. This command requests the HTTP headers from your site without fetching the entire page content.

Step 2: Verify HSTS output

Next, look for the Strict-Transport-Security header in the curl command’s output. A successful HSTS implementation will show a response similar to the following:

HTTP/2 200 
...
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
...

The key aspects to notice in this response are:

  • Status Code: HTTP/2 200 or similar, indicating that the site is reachable.
  • Strict-Transport-Security Header: This should be present and include directives like max-age, includeSubDomains, and optionally preload.
    • max-age specifies the duration (in seconds) that the browser should remember to only access the site using HTTPS.
    • includeSubDomains ensures that all subdomains will also adhere to the HSTS policy.
    • preload is an optional directive indicating the site’s inclusion in the browser’s preload list for HSTS.

Finding the Strict-Transport-Security header with the correct settings in your site’s HTTP headers confirms that HSTS is properly set up on your NGINX server.

A Final Word: The Importance of HTTP Strict Transport Security in NGINX

That’s a wrap on setting up and verifying HTTP Strict Transport Security (HSTS) in your NGINX server. We journeyed through the initial steps of backing up your configuration, integrating HSTS directives, and concluded with a practical verification using the curl command. Remember, implementing HSTS is more than a security protocol; it’s about building trust and enhancing the user experience on your site. Keep your NGINX setup up-to-date and routinely check your HSTS settings to ensure ongoing security and performance. This guide aimed to simplify the process, ensuring you can confidently manage HSTS in your NGINX environment. Stay secure and keep optimizing for the best web experience!

How to Install Ubuntu Budgie on Ubuntu 22.04 or 20.04

How to Install Microsoft Edge on Pop!_OS

Leave a Comment


If you have any legitimate inquiries, such as article suggestions, don't hesitate to contact LinuxCapable. Kindly ensure that your message is written in the English language.

Contact Us
About Us Copyright Policy Disclaimer Privacy Policy Terms & Conditions Contact Us