From 5284d4028c5db6e32b73b13731622ba477597561 Mon Sep 17 00:00:00 2001 From: Felix Ableitner Date: Tue, 11 Sep 2018 13:04:49 -0500 Subject: [PATCH] Don't include `preload` flag in sample HSTS header This goes against the recommendations (preloading should be opt-in). Putting it in the example makes it likely that people enable it without knowing what it means. https://hstspreload.org/?domain=peertube.social#opt-in --- support/nginx/peertube | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/support/nginx/peertube b/support/nginx/peertube index 5d97c0cf1..0da427037 100644 --- a/support/nginx/peertube +++ b/support/nginx/peertube @@ -48,7 +48,7 @@ server { # Tells browsers to stick with HTTPS and never visit the insecure HTTP # version. Once a browser sees this header, it will only visit the site over # HTTPS for the next 2 years: (read more on hstspreload.org) - #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; access_log /var/log/nginx/peertube.example.com.access.log; error_log /var/log/nginx/peertube.example.com.error.log;