I recently changed my nginx config to redirect all http traffic to https (and all www traffic to no-www).
Would it make sense to also add add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
to my server blocks as well? Or that's unneeded since I'm already redirecting all traffic? Would be great to know the pros (and cons, if any).
In case relevant, my current virtual host configuration is:
server {
server_name example.com www.example.com;
listen 80;
return 301 https://example.com$request_uri;
}
server {
server_name www.example.com;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/cert_chain.crt;
... other SSL related config ...
return 301 https://example.com$request_uri;
}
server {
server_name example.com;
listen 443 ssl;
... other SSL related config ...
... remaining server configuration ...
}
Best Answer
HSTS tells the browser to always use https, rather than http. Adding that configuration may reduce the need for forwarding from http to https, so it may very slightly increase website performance and very slightly decrease server load.
For reference, here's the security headers I use on my Nginx based websites. I save this to a single file and include it from all servers that need it, including http and https servers. It allows some common resources like Google and Facebook to load.
Clarification
You still need the http to https redirection in place.