Support the ongoing development of Laravel.io →
smockensturm
posted 3 years ago
Security
Last updated 2 years ago.
0
tomhatzer
replied 3 years ago
Solution

Hey!

You can update your nginx configuration like described in this Laracasts episode: https://laracasts.com/series/learn-laravel-forge/episodes/22

With the config open, add this line to the server block for your canonical domain:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

so it will look something like this:

server {
    listen 443 ssl;
    ...
    server_name <your-canonical-domain>;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    ...
}

You can change the max-age value to your preferred value.

0
Solution selected by @driesvints
smockensturm
replied 3 years ago

Hey! Thanks!

But that also forces the WWW to be secure, yes? We do not want that. Does that make sense?

0
tomhatzer
replied 3 years ago

Ah, yeah. You can remove the includeSubDomains and only leave the max-age like this:

add_header Strict-Transport-Security "max-age=31536000" always;

The mozilla docs show this as valid option.

Last updated 3 years ago.
0
smockensturm
replied 3 years ago

Great. Thanks a bunch!

0

Sign in to participate in this thread!

Eventy

Your banner here too?

Steve Mock smockensturm Joined 3 Nov 2021

Moderators

We'd like to thank these amazing companies for supporting us

Eventy NativePHP
Fathom
Forge
Envoyer
Beyond Code
BairesDev
N-iX
Litslink

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

Laravel.io

Forum Articles Pastebin

Socials

X (Twitter) Bluesky Bluesky GitHub

The community

Laravel Laravel Laravel News Laravel News
Laracasts Laracasts Laravel Podcast Laravel Podcast
© 2025 Laravel.io - All rights reserved.
Terms of service Privacy policy Advertise