Update HTTP Strict Transport Security (HSTS) max-age value

jamesmacwhite · web-flow · commit 3cf631e94a58 · 2022-03-18T18:03:43.000Z
Set to 31536000 as recommended by OWASP.
diff --git a/src/ngx_http_security_headers_module.c b/src/ngx_http_security_headers_module.c
@@ -272,9 +272,9 @@ ngx_http_security_headers_filter(ngx_http_request_t *r)
     {
         ngx_str_set(&key, "Strict-Transport-Security");
         if (1 == slcf->hsts_preload) {
-            ngx_str_set(&val, "max-age=63072000; includeSubDomains; preload");
+            ngx_str_set(&val, "max-age=31536000; includeSubDomains; preload");
         } else {
-            ngx_str_set(&val, "max-age=63072000; includeSubDomains");
+            ngx_str_set(&val, "max-age=31536000; includeSubDomains");
         }
         ngx_set_headers_out_by_search(r, &key, &val);
     }

Original file line number	Diff line number	Diff line change
`@@ -272,9 +272,9 @@ ngx_http_security_headers_filter(ngx_http_request_t *r)`
`272`	`272`	`{`
`273`	`273`	`ngx_str_set(&key, "Strict-Transport-Security");`
`274`	`274`	`if (1 == slcf->hsts_preload) {`
`275`		`- ngx_str_set(&val, "max-age=63072000; includeSubDomains; preload");`
	`275`	`+ ngx_str_set(&val, "max-age=31536000; includeSubDomains; preload");`
`276`	`276`	`} else {`
`277`		`- ngx_str_set(&val, "max-age=63072000; includeSubDomains");`
	`277`	`+ ngx_str_set(&val, "max-age=31536000; includeSubDomains");`
`278`	`278`	`}`
`279`	`279`	`ngx_set_headers_out_by_search(r, &key, &val);`
`280`	`280`	`}`