|
|
|
|
|
|
by taway2012
4525 days ago
|
|
|
Thanks for the response. I get the A+ site when I directly visit via IP. I went through the delta between the reports with a fine-toothed comb and discovered that SNI wasn't the problem. It was a biggie: looks like HSTS wasn't enabled for visits to the static part of the site (like the homepage). It seems like Nginx is doing something counter-intuitive. I've set HSTS at the server level using the 'add_header' directive. I've set 'max-age=0, must-revalidate' at the location level using add_header for the static parts of my site. I expected Nginx to add both add_headers, but it only seems to do the "deepest" set of add_headers it finds. Duplicating the 'add_header' directive at the location level (resulting in two add_header directives) results in HSTS being sent for the static parts also. Now I get A+ on SSL Labs for both sites. |
|
|