Michael Howell

nginx sinkhole #1: `add_header` only runs on HTTP 200 by default

Sep 30, 2016

This nginx configuration directive is not secure:

add_header Strict-Transport-Security max-age=15768000;

It shows up in a lot of nice examples, but it doesn’t add the header if your response is anything but HTTP 200. This includes, for example, redirects you might have into a SSO portal. Use this:

add_header Strict-Transport-Security max-age=15768000 always;

Should just ban the word “always” from the API design vocabulary? It’s always a sign that you’re trying to cover up some case where you think the directive should be ignored, which is going to be surprising sometime.