From d07729f5b66b10b80c6857c4f918c2ff4f699049 Mon Sep 17 00:00:00 2001
From: Jonas Smedegaard <dr@jones.dk>
Date: Mon, 19 Oct 2020 20:21:04 +0200
Subject: set HSTS header unconditionally, with an age of 2 years

---
 apache2/conf-available/security.conf      | 20 +-------------------
 apache2/conf-available/security.conf.diff | 22 ++--------------------
 2 files changed, 3 insertions(+), 39 deletions(-)

diff --git a/apache2/conf-available/security.conf b/apache2/conf-available/security.conf
index 6652f0d..2fcb473 100644
--- a/apache2/conf-available/security.conf
+++ b/apache2/conf-available/security.conf
@@ -88,24 +88,6 @@ Header always set Permissions-Policy "accelerometer(), ambient-light-sensor(), a
 Header always set Referrer-Policy "no-referrer-when-downgrade"
 
 # enable Strict Transport Security
-# <http://www.debian-administration.org/articles/662>
-<IfDefine !_NO_HSTS>
-<IfDefine !_NO_HSTS_SUBDOMAINS>
-<IfDefine !_NO_HSTS_PRELOAD>
-	Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains;preload"
-</IfDefine>
-<IfDefine _NO_HSTS_PRELOAD>
-	Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains"
-</IfDefine>
-</IfDefine>
-<IfDefine _NO_HSTS_SUBDOMAINS>
-<IfDefine !_NO_HSTS_PRELOAD>
-	Header set Strict-Transport-Security: "max-age=15768000;preload"
-</IfDefine>
-<IfDefine _NO_HSTS_PRELOAD>
-	Header set Strict-Transport-Security: "max-age=15768000"
-</IfDefine>
-</IfDefine>
-</IfDefine>
+Header always set Strict-Transport-Security "max-age=63072000;includeSubdomains;preload"
 
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/apache2/conf-available/security.conf.diff b/apache2/conf-available/security.conf.diff
index 66829ed..c363be3 100644
--- a/apache2/conf-available/security.conf.diff
+++ b/apache2/conf-available/security.conf.diff
@@ -9,7 +9,7 @@
  #ServerTokens Full
  
  #
-@@ -60,14 +60,52 @@
+@@ -60,14 +60,34 @@
  # else than declared by the content type in the HTTP headers.
  # Requires mod_headers to be enabled.
  #
@@ -43,24 +43,6 @@
 +Header always set Referrer-Policy "no-referrer-when-downgrade"
 +
 +# enable Strict Transport Security
-+# <http://www.debian-administration.org/articles/662>
-+<IfDefine !_NO_HSTS>
-+<IfDefine !_NO_HSTS_SUBDOMAINS>
-+<IfDefine !_NO_HSTS_PRELOAD>
-+	Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains;preload"
-+</IfDefine>
-+<IfDefine _NO_HSTS_PRELOAD>
-+	Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains"
-+</IfDefine>
-+</IfDefine>
-+<IfDefine _NO_HSTS_SUBDOMAINS>
-+<IfDefine !_NO_HSTS_PRELOAD>
-+	Header set Strict-Transport-Security: "max-age=15768000;preload"
-+</IfDefine>
-+<IfDefine _NO_HSTS_PRELOAD>
-+	Header set Strict-Transport-Security: "max-age=15768000"
-+</IfDefine>
-+</IfDefine>
-+</IfDefine>
++Header always set Strict-Transport-Security "max-age=63072000;includeSubdomains;preload"
  
  # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
-- 
cgit v1.2.3