Send Strict-Transport-Security header in 401 response

Hello,
I would like to send the header:

add_header Strict-Transport-Security “max-age=31536000;
includeSubDomains”;

Despite the 401 Unauthorized request. Is that possible?

Currently the header is only added after a successful authorization:

(x1) [~] curl -v https://tuvl.de

  • Rebuilt URL to: https://tuvl.de/
  • Hostname was NOT found in DNS cache
  • Trying 2a01:4f8:b0:2fff::2…
  • Connected to tuvl.de (2a01:4f8:b0:2fff::2) port 443 (#0)
  • successfully set certificate verify locations:
  • CAfile: none
    CApath: /etc/ssl/certs
  • SSLv3, TLS handshake, Client hello (1):
  • SSLv3, TLS handshake, Server hello (2):
  • SSLv3, TLS handshake, CERT (11):
  • SSLv3, TLS handshake, Server key exchange (12):
  • SSLv3, TLS handshake, Server finished (14):
  • SSLv3, TLS handshake, Client key exchange (16):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • Server certificate:
  •    subject: CN=tuvl.de
    
  •    start date: 2016-06-19 08:39:00 GMT
    
  •    expire date: 2016-09-17 08:39:00 GMT
    
  •    subjectAltName: tuvl.de matched
    
  •    issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
    
  •    SSL certificate verify ok.
    

GET / HTTP/1.1
User-Agent: curl/7.38.0
Host: tuvl.de
Accept: /

< HTTP/1.1 401 Unauthorized

  • Server nginx is not blacklisted
    < Server: nginx
    < Date: Sun, 19 Jun 2016 09:47:40 GMT
    < Content-Type: text/html
    < Content-Length: 188
    < Connection: keep-alive
    < WWW-Authenticate: Basic realm=“Virtual Lab”
    <
401 Authorization Required

401 Authorization Required


nginx * Connection #0 to host tuvl.de left intact

Cheers,
Thomas

On Sun, Jun 19, 2016 at 11:51:28AM +0200, Thomas G. wrote:

Hi there,

I would like to send the header:

add_header Strict-Transport-Security “max-age=31536000; includeSubDomains”;

Despite the 401 Unauthorized request. Is that possible?

http://nginx.org/r/add_header

That suggests that you can use an “always” parameter.

Is that appropriate in this case?

If not, then possibly the third-party “headers more” module may be
useful.

f

Francis D. [email protected]

Hello Francis,

http://nginx.org/r/add_header

That suggests that you can use an “always” parameter.

Is that appropriate in this case?

yes, thank you a lot. That solved my problem.

Cheers,
Thomas

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs