Directive Reference

security_headers_hsts_preload

The 'security_headers_hsts_preload' directive controls the inclusion of 'preload' in the HSTS header, indicating compliance with Chromium's preload list.

NGINX module for sending security headers · httpserverlocation
Syntaxsecurity_headers_hsts_preload on | off;
Defaulton
Contexthttp, server, location
Argumentsflag

Description

The 'security_headers_hsts_preload' directive in the NGINX security headers module allows you to choose whether or not to include the 'preload' option in the Strict-Transport-Security (HSTS) header. When enabled, the 'preload' directive signals that the site intends to be included in HSTS preload lists managed by browsers, enhancing security by insisting that the site is only accessed via HTTPS. This is particularly beneficial for protecting against man-in-the-middle attacks on the initial request to the server.

The directive accepts a boolean flag, which can be set to 'on' or 'off'. If it is set to 'on', the 'Preload' directive will be appended to the HSTS header automatically. Conversely, setting it to 'off' prevents the HSTS header from including the 'preload' directive. It is crucial to properly manage this setting, especially in contexts where your site may face requests over unsecured HTTP, as incorrect configurations can lead to unintended domains being associated with 'HTTPS only' behavior, limiting access to those domains over plain HTTP.

Config Example

http {
    security_headers on;
    security_headers_hsts_preload on;
}

Ensure that you consider the implications of preloading, as it can permanently affect how users access your site over HTTP.

Setting this directive to 'on' without being confident that all subdomains will only use HTTPS can restrict valid traffic to your site.

Related Directives

security_headerssecurity_headers_hstssecurity_headers_hsts_include_subdomains
← Back to all directives