Thank you!

Hi Elvis!

Is ‘always’ set correct?
Sometimes it is used, sometimes it is not used.
For example used on Apache but not on NGINX:

Apache

Header always set Strict-Transport-Security “max-age=10886400; includeSubDomains”

NGINX

add_header Strict-Transport-Security max-age=10886400;

Hi there,

The standard requires sending this header always, except when the request is made to plain HTTP. This means an HSTS Host returns the “Strict-Transport-Security” HTTP response header field in its HTTP response messages sent over secure transport. An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport. ‘Always’ means that the header will be sent even if the HTTP status code is 4xx, or 5xx. So arguably, it should be set to always in the HTTPS blocks and not be set in HTTP blocks at all. Hopefully, that can help. 🙂

Thanks for the reply Louis 🙂

Similar Posts

The Secret to Avoiding MarTech Sprawl

The Secret to Avoiding MarTech Sprawl

It’s no secret that marketing technology is growing at an alarming rate. Every year, chiefmartec shares a map of the MarTech landscape, which identifies 9,932 marketing technologies as of 2022. For context, this is an…

Women in Technology: Edith Fernandez

Women in Technology: Edith Fernandez

Liquid Web’s Managed Applications chat supervisor on her upbringing in India, what led her to tech, and how she hopes to inspire other women. “There is nothing that cannot be achieved. So dream about it,…