Reword HSTS configuration to warn user of nginx's add_header shortcomings

diff --git a/support/nginx/peertube b/support/nginx/peertube
index 50d3a919feb5a30aadedbadfd6bb52ae9e8db7ad..14e60ed7dccfe5f51f931c0857f1eec9b8be8b4a 100644 (file)
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -33,6 +33,8 @@ server {
   ssl_session_tickets off; # Requires nginx >= 1.5.9
   ssl_stapling on; # Requires nginx >= 1.3.7
   ssl_stapling_verify on; # Requires nginx => 1.3.7
+  # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
+  #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
 
   # Configure with your resolvers
   # resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
@@ -49,12 +51,6 @@ server {
   # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
   # client_body_temp_path /var/www/peertube/storage/nginx/;
 
-  # Enable HSTS
-  # Tells browsers to stick with HTTPS and never visit the insecure HTTP
-  # version. Once a browser sees this header, it will only visit the site over
-  # HTTPS for the next 2 years: (read more on hstspreload.org)
-  #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
-
   access_log /var/log/nginx/peertube.example.com.access.log;
   error_log /var/log/nginx/peertube.example.com.error.log;