diff --git a/playbooks/roles/nginx/defaults/main.yml b/playbooks/roles/nginx/defaults/main.yml index 0be8b8d93..bc14dcad9 100644 --- a/playbooks/roles/nginx/defaults/main.yml +++ b/playbooks/roles/nginx/defaults/main.yml @@ -46,7 +46,7 @@ NGINX_ENABLE_SSL: False NGINX_REDIRECT_TO_HTTPS: False # Disable handling IP disclosure for private IP addresses. This is needed by ELB to run the health checks while using `NGINX_ENABLE_SSL`. NGINX_ALLOW_PRIVATE_IP_ACCESS: False -NGINX_HSTS_MAX_AGE: 31536000 +NGINX_HSTS_MAX_AGE: 63072000 # Set these to real paths on your # filesystem, otherwise nginx will # use a self-signed snake-oil cert diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2 index f12dc555f..731d71643 100644 --- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2 +++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2 @@ -71,7 +71,7 @@ error_page {{ k }} {{ v }}; {% if NGINX_ENABLE_SSL or NGINX_REDIRECT_TO_HTTPS %} # request the browser to use SSL for all connections - add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains"; + add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains; preload"; {% endif %} # prevent the browser from doing MIME-type sniffing diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/conductor.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/conductor.j2 index 5c193f0e1..96ec2e05c 100644 --- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/conductor.j2 +++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/conductor.j2 @@ -22,7 +22,7 @@ server { {% if NGINX_ENABLE_SSL or NGINX_REDIRECT_TO_HTTPS %} # request the browser to use SSL for all connections - add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}"; + add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains; preload"; {% endif %} listen {{ CONDUCTOR_NGINX_PORT }} {{ default_site }}; diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/edx_notes_api.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/edx_notes_api.j2 index 5f94acdbb..213700e9e 100644 --- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/edx_notes_api.j2 +++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/edx_notes_api.j2 @@ -29,7 +29,7 @@ server { {% if NGINX_ENABLE_SSL or NGINX_REDIRECT_TO_HTTPS %} # request the browser to use SSL for all connections - add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains"; + add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains; preload"; {% endif %} {% include "common-settings.j2" %} diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/insights.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/insights.j2 index 8bef747fd..cd65be568 100644 --- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/insights.j2 +++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/insights.j2 @@ -37,7 +37,7 @@ server { {% if NGINX_ENABLE_SSL or NGINX_REDIRECT_TO_HTTPS %} # request the browser to use SSL for all connections - add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains"; + add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains; preload"; {% endif %} location ~ ^/static/(?P.*) { diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/learner_portal.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/learner_portal.j2 index 84c79da63..3ef433846 100644 --- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/learner_portal.j2 +++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/learner_portal.j2 @@ -24,7 +24,7 @@ server { server_name ~^((stage|prod)-)?learner-portal.*; ssl_certificate /etc/ssl/certs/wildcard.sandbox.edx.org.pem; ssl_certificate_key /etc/ssl/private/wildcard.sandbox.edx.org.key; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains; preload"; location / { root /edx/app/learner_portal/learner_portal/dist; index index.html; diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2 index 46e04bfb7..5c857c198 100644 --- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2 +++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2 @@ -103,7 +103,7 @@ error_page {{ k }} {{ v }}; {% if NGINX_ENABLE_SSL or NGINX_REDIRECT_TO_HTTPS %} # request the browser to use SSL for all connections - add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains"; + add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains; preload"; {% endif %} # prevent the browser from doing MIME-type sniffing diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/program_console.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/program_console.j2 index 775ecedf8..1e85d6e7d 100644 --- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/program_console.j2 +++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/program_console.j2 @@ -27,7 +27,7 @@ server { server_name ~^((stage|prod)-)?program-console.*; ssl_certificate /etc/ssl/certs/wildcard.sandbox.edx.org.pem; ssl_certificate_key /etc/ssl/private/wildcard.sandbox.edx.org.key; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains; preload"; location / { root /edx/app/program-console/program-console/dist; index index.html; diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/prospectus.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/prospectus.j2 index 459b104a0..fefcaacd4 100644 --- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/prospectus.j2 +++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/prospectus.j2 @@ -44,7 +44,7 @@ server { {% if NGINX_ENABLE_SSL or NGINX_REDIRECT_TO_HTTPS %} # request the browser to use SSL for all connections - add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains"; + add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains; preload"; {% endif %} diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/xqueue.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/xqueue.j2 index 28d96272d..de4d6dbbc 100644 --- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/xqueue.j2 +++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/xqueue.j2 @@ -27,7 +27,7 @@ server { {% if NGINX_ENABLE_SSL or NGINX_REDIRECT_TO_HTTPS %} # request the browser to use SSL for all connections - add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}"; + add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains; preload"; {% endif %} # set xqueue upload limit to 20MB to match the LMS upload limit.