Set HSTS to 2 years

2023-04-03 03:01:06 +00:00 · 2023-04-03 03:01:06 +00:00 · 450fce6729
commit 450fce6729
parent f72496e86d
1 changed files with 4 additions and 2 deletions
--- a/nginx/sites-available/search.zzls.xyz.conf
+++ b/nginx/sites-available/search.zzls.xyz.conf
@ -36,7 +36,7 @@ server {
    # CSP + Security Headers
    # include configs/securityheaders.conf;
    add_header Permissions-Policy        "interest-cohort=()" always;
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+    add_header Strict-Transport-Security "max-age=63072000; preload" always;
    add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/tiekoetter/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src 'self' https://www.youtube-nocookie.com https://invidious.tiekoetter.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com https://open.spotify.com/" always;

    #quic_retry on;
@ -44,8 +44,10 @@ server {
    #ssl_early_data on;
    #ssl_session_ticket_key /etc/nginx/http3key.key;

+    ssl_stapling on;
+    ssl_stapling_verify on;

-    #listen 443 http3;
+    listen 443 quic;
    listen 443 http2 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/search.zzls.xyz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/search.zzls.xyz/privkey.pem; # managed by Certbot