view mod_strict_https/README.md @ 6513:5fb466693e85

mod_storage_xmlarchive: Ensure list index files are removed using os.remove() on the list files leaves the new index files behind since util.datamanager does not know they are removed. Thanks Link Mauve
author Kim Alvefur <zash@zash.se>
date Tue, 07 Apr 2026 21:10:54 +0200
parents fe081789f7b5
children
line wrap: on
line source

---
summary: HTTP Strict Transport Security
---

# Introduction

This module implements [RFC 6797: HTTP Strict Transport Security] and
responds to all non-HTTPS requests with a `301 Moved Permanently`
redirect to the HTTPS equivalent of the path.

# Configuration

Add the module to the `modules_enabled` list and optionally configure
the specific header sent.

``` lua
modules_enabled = {
  ...
      "strict_https";
}
hsts_header = "max-age=31556952"
```

If the redirect from `http://` to `https://` causes trouble with
internal use of HTTP APIs it can be disabled:

``` lua
hsts_redirect = false
```

# Compatibility

  ------- -------------
  trunk   Should work
  0.12    Should work
  0.11    Should work
  ------- -------------