Send Strict-Transport-Security header in 401 response

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Send Strict-Transport-Security header in 401 response

Thomas Glanzmann
Hello,
I would like to send the header:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

Despite the 401 Unauthorized request. Is that possible?

Currently the header is only added after a successful authorization:

(x1) [~] curl -v https://tuvl.de
* Rebuilt URL to: https://tuvl.de/
* Hostname was NOT found in DNS cache
*   Trying 2a01:4f8:b0:2fff::2...
* Connected to tuvl.de (2a01:4f8:b0:2fff::2) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*        subject: CN=tuvl.de
*        start date: 2016-06-19 08:39:00 GMT
*        expire date: 2016-09-17 08:39:00 GMT
*        subjectAltName: tuvl.de matched
*        issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*        SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.38.0
> Host: tuvl.de
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
* Server nginx is not blacklisted
< Server: nginx
< Date: Sun, 19 Jun 2016 09:47:40 GMT
< Content-Type: text/html
< Content-Length: 188
< Connection: keep-alive
< WWW-Authenticate: Basic realm="Virtual Lab"
<
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host tuvl.de left intact

Cheers,
        Thomas

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Send Strict-Transport-Security header in 401 response

Francis Daly
On Sun, Jun 19, 2016 at 11:51:28AM +0200, Thomas Glanzmann wrote:

Hi there,

> I would like to send the header:
>
> add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
>
> Despite the 401 Unauthorized request. Is that possible?

http://nginx.org/r/add_header

That suggests that you can use an "always" parameter.

Is that appropriate in this case?

If not, then possibly the third-party "headers more" module may be useful.

        f
--
Francis Daly        [hidden email]

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Send Strict-Transport-Security header in 401 response

Thomas Glanzmann
Hello Francis,

* Francis Daly <[hidden email]> [2016-06-19 11:57]:
> http://nginx.org/r/add_header

> That suggests that you can use an "always" parameter.

> Is that appropriate in this case?

yes, thank you a lot. That solved my problem.

Cheers,
        Thomas

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx