I am posting this here just to document this in the public space since some of the SSL Labs folks helped me with it offline and I wanted to make sure the information shared was publicly indexed.
I have a web site that is publicly accessible and has HSTS headers enabled (using NGINX to insert them). This works great and the SSL Labs tool properly shows HSTS as being enabled. I then also have another version of this site that has basic authentication enabled since it is the development version of the site. When testing against this development site SSL Labs shows that HSTS is not enabled.
It would appear that the issue is due to NGINX not inserting that header on the error it returns when you curl without the username/password being sent.
I have asked for perhaps an enhancement to the tool such that it shows when the HSTS test gets an error (vs. a successful page load).
Header add Strict-Transport-Security "max-age=15768000"
SSLProtocol all -SSLv2 -SSLv3
$ curl -I https://foo.example.com
HTTP/1.1 401 Unauthorized
Date: Fri, 26 May 2017 16:45:46 GMT
WWW-Authenticate: Basic realm="Please Log In"
Content-Type: text/html; charset=iso-8859-1
Also, the SSL Labs folks were kind enough to point out that we should be doing something different with our HSTS header - so it is always sent on all responses. I am quoting them here so that their useful response is Googleable. I am going to add this directive now!
"We agree it would be useful to have a notice that the server responded with an unusual error code. That said, technically, you should be sending the HSTS header on all web server responses.
Modern Nginx has a setting that configures it to send headers non non-200 responses:
You need to add the "always" directive.
You're probably not going to meaningfully improve your security by doing this, but it's a useful thing to know."
Thanks to qualys and the folks at SSL Labs for making this great tool freely available!