HTTP Strict Transport Security (HSTS) policy protects your website/applications from malicious attacks such as clickjacking, protocol downgrades and man-in-the-middle attacks. However, if you are facing problems with HSTS then here are the steps to disable HTTP Strict Transport Security policy in NGINX.
How to Disable HTTP Strict Transport Policy in NGINX
Here are the steps to disable HSTS in NGINX.
1. Open NGINX configuration file
Open terminal and run the following command to open NGINX configuration file.
$ sudo vi /etc/nginx/nginx.conf
Depending on your installation, NGINX configuration file may be alternatively located at /usr/local/nginx/conf or /usr/local/etc/nginx.
Also read : How to Redirect to Another Domain Without Changing URL
2. Disable HTTP Strict Transport Policy
Look for the following line in NGINX configuration file.
add_header Strict-Transport-Security ...
Remove this line, or comment it by adding # at its beginning.
If you don’t find the above line, then add the following line
add_header Strict-Transport-Security "max-age=0;";
In the above line, we set the Strict-Transport-Security header for 0 days, that is, we disable it.
You need to add this in server block of your NGINX configuration file, that listens to port 443 (SSL/HTTPS).
server {
listen 443
...
add_header Strict-Transport-Security "max-age=0";
...
}
Also read : How to Create Virtual Host in XAMPP
3. Restart NGINX server
Restart NGINX server to apply changes.
$ sudo service nginx restart
There are many online tools like Qualsys SSL labs that allows you to check if HSTS is enabled/disabled on your NGINX server. Use them to verify HTTP Strict Transport Policy for your website.
Also read : How to Enable HTTP Strict Transport Security Policy in NGINX