set HSTS header in conf snippet local-securityheaders (not local-ssl), and enable preload unless _NO_HSTS_PRELOAD is set

2 files changed, 21 insertions, 11 deletions

diff --git a/apache2/conf-available/local-securityheaders.conf b/apache2/conf-available/local-securityheaders.conf
index a72a25e..0930702 100644
--- a/apache2/conf-available/local-securityheaders.conf
+++ b/apache2/conf-available/local-securityheaders.conf
@@ -1,6 +1,27 @@
 # Security headers
 # More info: <https://securityheaders.com/>
 
+# enable HSTS
+# <http://www.debian-administration.org/articles/662>
+<IfDefine !_NO_HSTS>
+<IfDefine !_NO_HSTS_SUBDOMAINS>
+<IfDefine !_NO_HSTS_PRELOAD>
+	Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains;preload"
+</IfDefine>
+<IfDefine _NO_HSTS_PRELOAD>
+	Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
+</IfDefine>
+</IfDefine>
+<IfDefine _NO_HSTS_SUBDOMAINS>
+<IfDefine !_NO_HSTS_PRELOAD>
+	Header add Strict-Transport-Security: "max-age=15768000;preload"
+</IfDefine>
+<IfDefine _NO_HSTS_PRELOAD>
+	Header add Strict-Transport-Security: "max-age=15768000"
+</IfDefine>
+</IfDefine>
+</IfDefine>
+
 # Avoid Clickjack attacks
 Header always set X-Frame-Options "SAMEORIGIN"
 
diff --git a/apache2/conf-available/local-ssl.conf b/apache2/conf-available/local-ssl.conf
index 83acb90..da6de62 100644
--- a/apache2/conf-available/local-ssl.conf
+++ b/apache2/conf-available/local-ssl.conf
@@ -19,17 +19,6 @@
 	RedirectMatch permanent ^(?!/.well-known/)(.*) https://${_HOST}/$1
 </If>
 
-# enable HSTS
-# <http://www.debian-administration.org/articles/662>
-<IfDefine !_NO_HSTS>
-<IfDefine !_NO_HSTS_SUBDOMAINS>
-	Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
-</IfDefine>
-<IfDefine _NO_HSTS_SUBDOMAINS>
-	Header add Strict-Transport-Security: "max-age=15768000"
-</IfDefine>
-</IfDefine>
-
 <IfModule mod_gnutls.c>
 	GnuTLSEnable on
 	<IfDefine _TLS_KEY>