2

We had some misplaced http headers on our sites set up for around one day which creates problems on some of our subdomains. Resolving this fault is pretty hard because the headers we sent are valid for a long time (182,5 days(!)) and so we cannot ask every user to reset their whole browser cache.

Is it possible to set nginx vhost to force overwrite every old http headers? So if a users visits the main site again he gets the new correct headers?

The headers we sent:

  add_header Strict-Transport-Security "max-age=15768000; preload;";
  add_header X-Content-Type-Options nosniff;
  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag none;
Flatron
  • 318
  • 2
  • 5
  • 19

1 Answers1

0

It's not a server-side problem. This is how Strict-Transport-Security works, and if it didn't, it would be useless - it's browsers that remember this setting, and there's nothing you can do once visitors have seen them. The solution is to be very careful, and do not set this header unless you really mean it.

That said, there's an easy workaround: serve everything over SSL and it ceases to be a problem.

Synchro
  • 3,148
  • 6
  • 27
  • 38