Skip to content

Security: Add Strict-Transport-Security (HSTS) header to nginx.conf #642

Description

@LucasMaupin

Summary

The nginx/nginx.conf currently handles SPA routing but does not set a Strict-Transport-Security (HSTS) header. Without HSTS, browsers may downgrade HTTPS connections to HTTP on subsequent visits, exposing users to man-in-the-middle attacks.

Note: #624 tracks adding CSP and X-Frame-Options headers; HSTS is a complementary but distinct control.

Severity: MEDIUM

Remediation

Add the following to the server block in nginx/nginx.conf:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Also consider adding:

add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingenhancementNew feature or requestgood first issueGood for newcomersready-for-devIssue is scoped and ready to be picked uptriagedIssue has been triaged

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions