
can someone tell me why ssl labs says this instance is sending multiple hsts headers when there's only one in my config #mastoadmins

only changes I made were the appropriate domain and cert lines. all the crazy ssl/cipher/header stuff is the same.

specifically, I added "includeSubDomains" but this invalid header thing was happening even before I added that directive to it




There's a known issue with Nginx where the HSTS header can be sent multiple times, but when I run the SSL Labs test, I'm not seeing that error pop up. Where are you seeing it?

Β· Β· 2 Β· 0 Β· 0

re: mastoadmin 

@churusaa if I test '' on it'll be like "hey u get an A" which makes me happy and squeaky but this one particular thing is bugging/puzzling me


@trashyfins Woops. I tested the wrong instance name. I see it.

nginx will send its own HSTS header even if the application is configured to send its own, and that's expected behavior, apparently.

re: mastoadmin 

@churusaa oh that is right. I didn't think it was that literal with it.. idky.

I'm both mad and fine with this

re: mastoadmin 

@trashyfins Possibly relevant would be changing "header add" to "header set", and define the whole header instead of appending an HSTS header to a response that might already include one.

re: mastoadmin 

@churusaa apparently adding proxy_hide_header Strict-Transport-Security right before the add_header worked. ssllabs gave me treats now

thanks for the tip btw :3 ✨

and for helping in general. aaaaaaaAAAAA

re: mastoadmin 

@trashyfins :undertale: I'm glad you got that figured out.

re: mastoadmin 

@churusaa it's on my very long todo list to inspect all of these to know what they do exactly xwx

when i don't have shitposts to boost and homework to write

Sign in to participate in the conversation
Computer Fairies

Computer Fairies is a Mastodon instance that aims to be as queer, friendly and furry as possible. We welcome all kinds of computer fairies!