From 05cb98890b5a960be8ebd7885195a522bb10e2ce Mon Sep 17 00:00:00 2001
From: Jonas Smedegaard <dr@jones.dk>
Date: Mon, 19 Oct 2020 16:08:29 +0200
Subject: set HSTS header in conf snippet local-securityheaders (not
 local-ssl), and enable preload unless _NO_HSTS_PRELOAD is set

---
 apache2/conf-available/local-securityheaders.conf | 21 +++++++++++++++++++++
 apache2/conf-available/local-ssl.conf             | 11 -----------
 2 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/apache2/conf-available/local-securityheaders.conf b/apache2/conf-available/local-securityheaders.conf
index a72a25e..0930702 100644
--- a/apache2/conf-available/local-securityheaders.conf
+++ b/apache2/conf-available/local-securityheaders.conf
@@ -1,6 +1,27 @@
 # Security headers
 # More info: <https://securityheaders.com/>
 
+# enable HSTS
+# <http://www.debian-administration.org/articles/662>
+<IfDefine !_NO_HSTS>
+<IfDefine !_NO_HSTS_SUBDOMAINS>
+<IfDefine !_NO_HSTS_PRELOAD>
+	Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains;preload"
+</IfDefine>
+<IfDefine _NO_HSTS_PRELOAD>
+	Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
+</IfDefine>
+</IfDefine>
+<IfDefine _NO_HSTS_SUBDOMAINS>
+<IfDefine !_NO_HSTS_PRELOAD>
+	Header add Strict-Transport-Security: "max-age=15768000;preload"
+</IfDefine>
+<IfDefine _NO_HSTS_PRELOAD>
+	Header add Strict-Transport-Security: "max-age=15768000"
+</IfDefine>
+</IfDefine>
+</IfDefine>
+
 # Avoid Clickjack attacks
 Header always set X-Frame-Options "SAMEORIGIN"
 
diff --git a/apache2/conf-available/local-ssl.conf b/apache2/conf-available/local-ssl.conf
index 83acb90..da6de62 100644
--- a/apache2/conf-available/local-ssl.conf
+++ b/apache2/conf-available/local-ssl.conf
@@ -19,17 +19,6 @@
 	RedirectMatch permanent ^(?!/.well-known/)(.*) https://${_HOST}/$1
 </If>
 
-# enable HSTS
-# <http://www.debian-administration.org/articles/662>
-<IfDefine !_NO_HSTS>
-<IfDefine !_NO_HSTS_SUBDOMAINS>
-	Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
-</IfDefine>
-<IfDefine _NO_HSTS_SUBDOMAINS>
-	Header add Strict-Transport-Security: "max-age=15768000"
-</IfDefine>
-</IfDefine>
-
 <IfModule mod_gnutls.c>
 	GnuTLSEnable on
 	<IfDefine _TLS_KEY>
-- 
cgit v1.2.3