Refer:[Analysis of HSTs-blog] [http HSTs protocol and nginx-O & M survival time] [HSTs]
Header: strict-transport-Security
Strict-transport-security format
Strict-Transport-Security: <max-age=NUMBER>[; includeSubDomains][; preload]
Max-age: Unit: seconds. The expiration time of the HSTs header, generally set to 1 year, that is, 31536000 seconds. Each time the Response Header carries the HSTs header, the expiration time can be continuously refreshed.
Includesubdomains: The domain name/subdomain name of HSTs must be enabled.
Preload: This item must be set only when the browser's built-in preload list is added.
Nginx configuration example
server { listen 80; server_name xx.xx; return 301 https://$host;}server{ listen 443 ssl; server_name xx.xx.xx; ssl_certificate cert/xx.pem; ssl_certificate_key cert/xx.key; .... add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; location /{ } ....}
Nginx: Configure HSTs