Add HSTS support

Maxime Jobin · Maxime Jobin · commit 7805d759ad86 · 2015-12-20T22:07:41.000-05:00
diff --git a/rocket-nginx.conf b/rocket-nginx.conf
@@ -15,16 +15,19 @@
 ###################################################################################################
 
 set $rocket_debug 0;				# Add debug information into header
+set $rocket_hsts_value "";			# HTTP Strict Transport Security (if you want overwrite default) 
 
 ###################################################################################################
 # Do not alter theses values
 #
 set $rocket_bypass 1;				# Should NGINX bypass WordPress and call cache file directly ?
 set $rocket_encryption "";			# Is GZIP accepted by client ?
 set $rocket_file "";				# Filename to use
-set $rocket_is_bypassed "No";			# Header text added to check if the bypass worked or not. Header: X-Rocket-Nginx-Bypass
+set $rocket_is_bypassed "No";		# Header text added to check if the bypass worked or not. Header: X-Rocket-Nginx-Bypass
 set $rocket_reason "";				# Reason why cache file was not used. If cache file is used, what file was used
-set $rocket_https_prefix "";					# HTTPS prefix to use when cached files are using HTTPS
+set $rocket_https_prefix "";		# HTTPS prefix to use when cached files are using HTTPS
+set $rocket_hsts 0;					# Is HSTS is off (0) by default. Will be turned on (1) if request is HTTPS
+set $rocket_hsts_value_default "max-age=31536000; includeSubDomains";
 
 
 ###################################################################################################
@@ -39,6 +42,17 @@ if ($http_accept_encoding ~ gzip) {
 # Is SSL request ?
 if ($https = "on") {
 	set $rocket_https_prefix "-https";
+	set $rocket_hsts 1;
+}
+
+# If HSTS value is not set, use default value
+if ($rocket_hsts_value = "") {
+	set $rocket_hsts_value "$rocket_hsts_value_default";
+}
+
+# If HSTS is disabled, unset HSTS set for Rocket-Nginx configuration
+if ($rocket_hsts = "0") {
+	set $rocket_hsts_value "";
 }
 
 # File/URL to return IF we must bypass WordPress
@@ -101,6 +115,7 @@ location ~ /wp-content/cache/wp-rocket/.*html$ {
 	add_header X-Rocket-Nginx-Bypass $rocket_is_bypassed;
 	add_header X-Rocket-Nginx-Reason $rocket_reason;
 	add_header X-Rocket-Nginx-File $rocket_file;
+	add_header Strict-Transport-Security "$rocket_hsts_value";
 	expires 30d;
 }
 
@@ -114,6 +129,7 @@ location ~ /wp-content/cache/wp-rocket/.*_gzip$ {
 	add_header X-Rocket-Nginx-Bypass $rocket_is_bypassed;
 	add_header X-Rocket-Nginx-Reason $rocket_reason;
 	add_header X-Rocket-Nginx-File $rocket_file;
+	add_header Strict-Transport-Security "$rocket_hsts_value";
 	expires 30d;
 }
 
@@ -122,6 +138,8 @@ add_header X-Rocket-Nginx-Bypass $rocket_is_bypassed;
 add_header X-Rocket-Nginx-Reason $rocket_reason;
 add_header X-Rocket-Nginx-File $rocket_file;
 
+# No HSTS header added here. We suppose it's correctly added in the site configuration
+
 
 ###################################################################################################
 # BROWSER CSS CACHE
