From 6328da8c017cf00d3c0ac8824ec5af128f6db42e Mon Sep 17 00:00:00 2001
From: Rigel Kent <sendmemail@rigelk.eu>
Date: Sun, 9 Sep 2018 22:10:38 +0200
Subject: make HSTS opt-in and leave it to the reverse-proxy

---
 support/nginx/peertube | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'support/nginx/peertube')

diff --git a/support/nginx/peertube b/support/nginx/peertube
index 0720dbd97..5d97c0cf1 100644
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -44,7 +44,11 @@ server {
   gzip_types text/css text/html application/javascript;
   gzip_vary on;
 
-  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+  # Enable HSTS
+  # Tells browsers to stick with HTTPS and never visit the insecure HTTP
+  # version. Once a browser sees this header, it will only visit the site over
+  # HTTPS for the next 2 years: (read more on hstspreload.org)
+  #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
 
   access_log /var/log/nginx/peertube.example.com.access.log;
   error_log /var/log/nginx/peertube.example.com.error.log;
-- 
cgit v1.2.3