dewanggaba, your hint was correct. Even though I am using the NGINX config supplied by ownCloud, there was still a setting in the admin panel to force HTTPS, which also sends an HSTS header. But the kicker is, if force HTTPS (in PHP) is set to off (and just forced through the server config), ownCloud sends an HSTS header for max-age=0! This is ownCloud 7.0.4 (stable). Here is the relevant code iby deltaxfx - Nginx Mailing List - English
Very interesting. I am using ownCloud. I thought something like that may be the case and did a couple quick searches that didn't turn up anything, but I'll give it another look now. Thanks for the hint!by deltaxfx - Nginx Mailing List - English
I have a domain setup with SSL and I am trying to get HSTS headers working. I have done this in NGINX before with no problem. On this new domain I can't seem to get HSTS working properly. Not sure what I am doing wrong. I have the following in the server block for the SSL server: add_header Strict-Transport-Security "max-age=31536000;"; When I run "curl -s -D- https://my.domaiby deltaxfx - Nginx Mailing List - English