Why do I get duplicate HSTS headers? AWS ELB, nginx, Ruby on Rails

Question

I'm running a set of Rails servers on AWS with elastic load-balancing and nginx. When I run a security test at SSL labs (http://ssllabs.com/ssltest), it reports back:

    Invalid: Server provided more than one HSTS header

Where's that coming from, and how do I configure it to only report one HSTS header?

score 2 · Answer 1 · answered Sep 25 '16 at 05:44

2

Rails adds a HSTS header when you set config.force_ssl = true.

Since the error is that it's being duplicated, you're probably setting nginx to set the same header. Choose for either rails or nginx to do it, not both.

answered Sep 25 '16 at 05:44

Turgs

285
4
9

Why do I get duplicate HSTS headers? AWS ELB, nginx, Ruby on Rails

1 Answers1