How To Fix the “HSTS Missing From HTTPS Server” Error
HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. When a server has HSTS enabled, it informs the browser to only interact with it over HTTPS. The “HSTS Missing From HTTP Server” error indicates that this policy is not correctly configured on your server. Here’s how to fix it:
1. Understanding HSTS
HSTS is implemented via an HTTP response header. When a browser receives this header from a server, it will only communicate with the server over HTTPS for a specified period. The header looks like this:
Strict-Transport-Security: max-age=31536000; includeSubDomains
max-age: Specifies the time, in seconds, that the browser should remember that the site is only accessible via HTTPS. For example, 31536000 seconds is equivalent to 1 year.
includeSubDomains: Optional directive that applies this policy to all subdomains of the site.
2. Prerequisites
Before enabling HSTS, ensure:
Your website is fully accessible via HTTPS.
All HTTP pages are redirected to their HTTPS counterparts.
You have a valid SSL/TLS certificate installed on your server.
3. Edit the Nginx Configuration File
You need to edit your Nginx configuration file to add the HSTS header. This configuration file is typically located in one of the following directories:
/etc/nginx/sites-enabled/your-sitename.conf
4. Add the HSTS Header
4.1 Open the Configuration File:
Open the configuration file for your site using a text editor. For example:
sudo nano /etc/nginx/sites-enabled/your-sitename.conf
4.2 Modify the Server Block:
Locate the server block handling HTTPS traffic. It typically looks like this:
server {
listen 443 ssl;
server_name your-site.com;
ssl_certificate /path/to/your/certificate.crt;
ssl_certificate_key /path/to/your/private.key;
# Add the HSTS header
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Other configuration directives…
}
4.3 Add the HSTS Header:
Within the server block, add the add_header directive:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Here’s an example of what the server block might look like after adding the HSTS header:
server {
listen 443 ssl;
server_name your-site.com;
ssl_certificate /path/to/your/certificate.crt;
ssl_certificate_key /path/to/your/private.key;
# Add the HSTS header
add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains" always;
location / {
# Your site configuration...
}
}
5. Test the Configuration
Before applying the changes, it’s essential to test your Nginx configuration to ensure there are no syntax errors.
Run the following command:
sudo nginx -t
If the test is successful, you should see output similar to:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
6. Reload Nginx
After verifying the configuration, reload Nginx to apply the changes:
sudo systemctl reload nginx
7. Verify the HSTS Header
Finally, verify that the HSTS header is being sent correctly. You can do this using various online tools or by checking the response headers directly.
Using curl:
Run the following command:
curl -I https://your-site.com
Look for the Strict-Transport-Security header in the response:
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 30 May 2024 12:00:00 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 29 Apr 2020 15:00:00 GMT
Connection: keep-alive
ETag: "5ea9cd00-264"
Strict-Transport-Security: max-age=31536000; includeSubDomains
Conclusion
→ By adding the HSTS header to your Nginx configuration, you enforce strict transport security, ensuring that all communications with your server are conducted over HTTPS. This significantly enhances the security of your website by protecting it from protocol downgrade attacks and cookie hijacking.
Last updated
Was this helpful?