Receiving 2 strict-transport-security headers with different times

addis_a · February 8, 2015, 2:08am

I have a domain setup with SSL and I am trying to get HSTS headers
working.
I have done this in NGINX before with no problem. On this new domain I
can’t
seem to get HSTS working properly. Not sure what I am doing wrong.
I have the following in the server block for the SSL server:
add_header Strict-Transport-Security “max-age=31536000;”;

When I run “curl -s -D- https://my.domain.net/ | grep Strict”
I receive the following:
Strict-Transport-Security: max-age=0
Strict-Transport-Security: max-age=31536000;

From all the reading I’ve done trying to figure this out, my impression
is
that with the add_header in the server directive, that will override any
previous declaration (there are none). Is that correct?
I grep’ed my entire /etc directory and there is only one instance of
“max-age” and that is in my ssl server config, with one year (31536000
seconds). So no where on this system, which was just built, and only
accessed by me, is there any reference to HSTS with max-age=0. There is
only
one config in sites-enabled, and that is for my.domain.net. There is a
port
80 config with a return 301 statement to permanently redirect to the SSL
server config.

My nginx version is 1.6.2, on Ubuntu 14.04 LTS.
I have been unable to find any help on the web for where the invalid
(max-age=0) could be coming from. When testing on ssllabs they report
the
max-age=0 header. When running the curl statement above on my local
network
I show the above output.

I’m not sure where to go from here trying to figure this out. There is
nothing in the NGINX error log, I wouldn’t expect anything as NGINX
restarts
with no issues.

Thanks for reading!

Posted at Nginx Forum:

deltaxfx · February 8, 2015, 5:07am

I’ve got same experience with Laravel framework. They have another
configuration to set header like that.

What web apps framework do you use?

deltaxfx · February 8, 2015, 5:33am

Very interesting. I am using ownCloud. I thought something like that may
be
the case and did a couple quick searches that didn’t turn up anything,
but
I’ll give it another look now. Thanks for the hint!

Posted at Nginx Forum:

deltaxfx · February 8, 2015, 5:42am

dewanggaba, your hint was correct. Even though I am using the NGINX
config
supplied by ownCloud, there was still a setting in the admin panel to
force
HTTPS, which also sends an HSTS header. But the kicker is, if force
HTTPS
(in PHP) is set to off (and just forced through the server config),
ownCloud
sends an HSTS header for max-age=0!
This is ownCloud 7.0.4 (stable).
Here is the relevant code in case it helps anyone who might be searching
for
the same thing in the future:

public static function checkSSL() {
// redirect to https site if configured
if (\OC::$server->getSystemConfig()->getValue(‘forcessl’, false)) {
// Default HSTS policy
$header = ‘Strict-Transport-Security: max-age=31536000’;
// If SSL for subdomains is enabled add “; includeSubDomains” to
the
header
if(\OC::$server->getSystemConfig()->getValue(‘forceSSLforSubdomains’,
false)) {
$header .= ‘; includeSubDomains’;
}
header($header);
ini_set(‘session.cookie_secure’, ‘on’);
if (OC_Request::serverProtocol() <> ‘https’ and !OC::$CLI) {
$url = ‘https://’ . OC_Request::serverHost() .
OC_Request::requestUri();
header(“Location: $url”);
exit();
}
} else {
// Invalidate HSTS headers
if (OC_Request::serverProtocol() === ‘https’) {
header(‘Strict-Transport-Security: max-age=0’);
}
}
}

Posted at Nginx Forum:

deltaxfx · February 8, 2015, 5:44am

Hi,

Glad to help.

Cheers.