Thanks for the reply Louis 🙂
The standard requires sending this header always, except when the request is made to plain HTTP. This means an HSTS Host returns the “Strict-Transport-Security” HTTP response header field in its HTTP response messages sent over secure transport. An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport. ‘Always’ means that the header will be sent even if the HTTP status code is 4xx, or 5xx. So arguably, it should be set to always in the HTTPS blocks and not be set in HTTP blocks at all. Hopefully, that can help. 🙂
add_header Strict-Transport-Security max-age=10886400;
Header always set Strict-Transport-Security “max-age=10886400; includeSubDomains”
Hi Elvis!
Is ‘always’ set correct?
Sometimes it is used, sometimes it is not used.
For example used on Apache but not on NGINX:
Hi there,
Thank you!

Similar Posts