edx · macdiesel · Nov 6, 2025
diff --git a/playbooks/roles/nginx/defaults/main.yml b/playbooks/roles/nginx/defaults/main.yml
@@ -46,7 +46,7 @@ NGINX_ENABLE_SSL: False
 NGINX_REDIRECT_TO_HTTPS: False
 # Disable handling IP disclosure for private IP addresses. This is needed by ELB to run the health checks while using `NGINX_ENABLE_SSL`.
 NGINX_ALLOW_PRIVATE_IP_ACCESS: False
-NGINX_HSTS_MAX_AGE: 31536000
+NGINX_HSTS_MAX_AGE: 63072000
 # Set these to real paths on your
 # filesystem, otherwise nginx will
 # use a self-signed snake-oil cert

diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2
@@ -71,7 +71,7 @@ error_page {{ k }} {{ v }};
 
   {% if NGINX_ENABLE_SSL or NGINX_REDIRECT_TO_HTTPS %}
   # request the browser to use SSL for all connections
-  add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains";
+  add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains; preload";
   {% endif %}
 
   # prevent the browser from doing MIME-type sniffing

diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/conductor.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/conductor.j2
@@ -22,7 +22,7 @@ server {
 
   {% if NGINX_ENABLE_SSL or NGINX_REDIRECT_TO_HTTPS %}
   # request the browser to use SSL for all connections
-  add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}";
+  add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains; preload";
   {% endif %}
 
   listen {{ CONDUCTOR_NGINX_PORT }} {{ default_site }};

diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/edx_notes_api.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/edx_notes_api.j2
@@ -29,7 +29,7 @@ server {
 
   {% if NGINX_ENABLE_SSL or NGINX_REDIRECT_TO_HTTPS %}
   # request the browser to use SSL for all connections
-  add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains";
+  add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains; preload";
   {% endif %}
 
   {% include "common-settings.j2" %}

diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/insights.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/insights.j2
@@ -37,7 +37,7 @@ server {
 
   {% if NGINX_ENABLE_SSL or NGINX_REDIRECT_TO_HTTPS %}
   # request the browser to use SSL for all connections
-  add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains";
+  add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains; preload";
   {% endif %}
 
   location ~ ^/static/(?P<file>.*) {

diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/learner_portal.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/learner_portal.j2
@@ -24,7 +24,7 @@ server {
   server_name ~^((stage|prod)-)?learner-portal.*;
   ssl_certificate /etc/ssl/certs/wildcard.sandbox.edx.org.pem;
   ssl_certificate_key /etc/ssl/private/wildcard.sandbox.edx.org.key;
-  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+  add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains; preload";
   location / {
     root /edx/app/learner_portal/learner_portal/dist;
     index index.html;

diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
@@ -103,7 +103,7 @@ error_page {{ k }} {{ v }};
 
   {% if NGINX_ENABLE_SSL or NGINX_REDIRECT_TO_HTTPS %}
   # request the browser to use SSL for all connections
-  add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains";
+  add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains; preload";
   {% endif %}
 
   # prevent the browser from doing MIME-type sniffing

diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/program_console.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/program_console.j2
@@ -27,7 +27,7 @@ server {
   server_name ~^((stage|prod)-)?program-console.*;
   ssl_certificate /etc/ssl/certs/wildcard.sandbox.edx.org.pem;
   ssl_certificate_key /etc/ssl/private/wildcard.sandbox.edx.org.key;
-  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+  add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains; preload";
   location / {
     root /edx/app/program-console/program-console/dist;
     index index.html;

diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/prospectus.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/prospectus.j2
@@ -44,7 +44,7 @@ server {
 
   {% if NGINX_ENABLE_SSL or NGINX_REDIRECT_TO_HTTPS %}
   # request the browser to use SSL for all connections
-  add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains";
+  add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains; preload";
   {% endif %}
 
 

diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/xqueue.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/xqueue.j2
@@ -27,7 +27,7 @@ server {
 
   {% if NGINX_ENABLE_SSL or NGINX_REDIRECT_TO_HTTPS %}
   # request the browser to use SSL for all connections
-  add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}";
+  add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains; preload";
   {% endif %}
 
   # set xqueue upload limit to 20MB to match the LMS upload limit.