We just started serving the HSTS header at cdt.org. woo!
However, something is bugging me and I'm not sure if it will have an operational impact. Any help in fixing it or things that you might know will break would be helpful.
When I pull the headers we are serving:
%curl -I https://cdt.org
HTTP/1.1 200 OK
Date: Tue, 31 Mar 2015 20:42:33 GMT
Content-Type: text/html; charset=UTF-8
Link: <https://cdt.org/>; rel=shortlink
Strict-Transport-Security:: max-age=31536000; includeSubDomains; preload
Things look pretty good... except for the STS header which has two colons instead of just one. That is, where it says "Strict-Transport-Security::" I expect to see "Strict-Transport-Security:".
We're adding this the usual nginx way by putting the following in the server block:
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload”;
Which indicates that we're not adding the double colon on purpose or on accident. Running the configuration test ('/etc/init.d/nginx configtest') says it's ok.
Anyway, I'd love to get rid of those two colons and replace with one. The current SSL Labs server test for us reports HSTS with a long life time, so that tool sees it... (although we get an F for an older version of OpenSSL, working on it). But I'm not sure if that double colon might break other things thought.