A client used a helpful security scanner and now believes that the Strict-Transport-Security header should include ‘includeSubdomains’.
I’ve added both of these to the app.yml:
after_ssl:
- replace:
filename: /etc/nginx/conf.d/outlets/server/20-https.conf
from: "max-age=31536000;"
to: "max-age=31536000; includeSubDomains;"
- replace:
filename: /etc/nginx/conf.d/outlets/discourse/20-https.conf
from: "max-age=31536000;"
to: "max-age=31536000; includeSubDomains;"
- exec: sed -i "s/add_header Strict-Transport-Security 'max-age=31536000';/add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;/" /etc/nginx/conf.d/outlets/discourse/20-https.conf /etc/nginx/conf.d/outlets/server/20-https.conf
Neither seems to work. Running the sed command in the second on inside the container works and after restarting nginx, does what’s requested.
I don’t understand why it won’t work.
Also, this used to be in the template, but it seems like it was removed in 2014, but some recent posts include headers that show the includeSubdomains in there.
I’m stumped