Using Debian10 and a fresh/new Nginx1.20.1, when I check:
curl -I https://example.com I get Strict-Transport-Security: max-age=2592000 and when I check my website in https://www.ssllabs.com/ssltest/analyze.html, I see the result as
Strict Transport Security (HSTS) Yes TOO SHORT (less than 180 days)
max-age=2592000
I searched all my nginx.conf and all included files, but I can't find the directive add_header Strict-Transport-Security ....
So, I added the following line to my server block, http block, location block, all of them, one of them , tested different cases:
add_header Strict-Transport-Security "max-age=41536000; includeSubDomains; preload" always;
and again checked in the above link and the result was :
Strict Transport Security (HSTS) Invalid Server provided more than one HSTS header
Good to say that, in both of the above cases, when I check response header in firefox browser, max-age is 2592000 and again my newly added directive does not come into effect!
I'm using cloudeflare as my DNS-server, so I enabled/disabled HSTS in my dashboard but no changes observed.
Let me now how could I find the default value of Strict-Transport-Security max-age in Nginx and how to change it effectively.
Best Answer
Cloudflare is the TLS terminating endpoint that rest of the world sees. Therefore it sets the HSTS headers. The origin HSTS headers are ignored by Cloudflare.
You need to modify the HSTS settings in Cloudflare control panel.