77# Author: Maxime Jobin
88# URL: https://github.com/maximejobin/rocket-nginx
99#
10- # Tested with WP-Rocket version: 2.6.9
10+ # Tested with WP-Rocket version: 2.6.15
1111# Tested with NGINX: 1.8.0 (stable)
1212#
13- # Version 1.0. 1
13+ # Version 1.1
1414#
1515###################################################################################################
1616
1717set $rocket_debug 0; # Add debug information into header
18+ set $rocket_hsts_value ""; # HTTP Strict Transport Security (if you want overwrite default)
1819
1920###################################################################################################
2021# Do not alter theses values
@@ -24,8 +25,11 @@ set $rocket_encryption ""; # Is GZIP accepted by client ?
2425set $rocket_file ""; # Filename to use
2526set $rocket_is_bypassed "No"; # Header text added to check if the bypass worked or not. Header: X-Rocket-Nginx-Bypass
2627set $rocket_reason ""; # Reason why cache file was not used. If cache file is used, what file was used
27- set $https_prefix ""; # HTTPS prefix to use when cached files are using HTTPS
28+ set $rocket_https_prefix ""; # HTTPS prefix to use when cached files are using HTTPS
29+ set $rocket_hsts 0; # Is HSTS is off (0) by default. Will be turned on (1) if request is HTTPS
2830
31+ # HSTS Default value : 1 year, include subdomains.
32+ set $rocket_hsts_value_default "max-age=31536000; includeSubDomains";
2933
3034###################################################################################################
3135# PAGE CACHE
@@ -38,11 +42,22 @@ if ($http_accept_encoding ~ gzip) {
3842
3943# Is SSL request ?
4044if ($https = "on") {
41- set $https_prefix "-https";
45+ set $rocket_https_prefix "-https";
46+ set $rocket_hsts 1;
47+ }
48+
49+ # If HSTS value is not set, use default value
50+ if ($rocket_hsts_value = "") {
51+ set $rocket_hsts_value "$rocket_hsts_value_default";
52+ }
53+
54+ # If HSTS is disabled, unset HSTS set for Rocket-Nginx configuration
55+ if ($rocket_hsts = "0") {
56+ set $rocket_hsts_value "";
4257}
4358
4459# File/URL to return IF we must bypass WordPress
45- set $rocket_url "/wp-content/cache/wp-rocket/$http_host/$request_uri/index$https_prefix .html$rocket_encryption";
60+ set $rocket_url "/wp-content/cache/wp-rocket/$http_host/$request_uri/index$rocket_https_prefix .html$rocket_encryption";
4661set $rocket_file "$document_root$rocket_url";
4762
4863
@@ -101,6 +116,7 @@ location ~ /wp-content/cache/wp-rocket/.*html$ {
101116 add_header X-Rocket-Nginx-Bypass $rocket_is_bypassed;
102117 add_header X-Rocket-Nginx-Reason $rocket_reason;
103118 add_header X-Rocket-Nginx-File $rocket_file;
119+ add_header Strict-Transport-Security "$rocket_hsts_value";
104120 expires 30d;
105121}
106122
@@ -114,6 +130,7 @@ location ~ /wp-content/cache/wp-rocket/.*_gzip$ {
114130 add_header X-Rocket-Nginx-Bypass $rocket_is_bypassed;
115131 add_header X-Rocket-Nginx-Reason $rocket_reason;
116132 add_header X-Rocket-Nginx-File $rocket_file;
133+ add_header Strict-Transport-Security "$rocket_hsts_value";
117134 expires 30d;
118135}
119136
@@ -122,6 +139,8 @@ add_header X-Rocket-Nginx-Bypass $rocket_is_bypassed;
122139add_header X-Rocket-Nginx-Reason $rocket_reason;
123140add_header X-Rocket-Nginx-File $rocket_file;
124141
142+ # No HSTS header added here. We suppose it's correctly added in the site configuration
143+
125144
126145###################################################################################################
127146# BROWSER CSS CACHE
0 commit comments