From 643afeeae75fd5c3c67cb6e461b2969548c31282 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 5 Jun 2025 16:02:27 -0400
Subject: [PATCH] enable STS for browser redirects

---
 salt/nginx/etc/nginx.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf
index 069e55cdb..5fa98a882 100644
--- a/salt/nginx/etc/nginx.conf
+++ b/salt/nginx/etc/nginx.conf
@@ -383,6 +383,7 @@ http {
 			}
 			if ($request_uri ~* ^/(?!(^/api/.*))) {
 				add_header    Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
+				add_header    Strict-Transport-Security   "max-age=31536000; includeSubDomains";
 			}
 			return        302 /auth/self-service/login/browser;
 		}
@@ -392,6 +393,7 @@ http {
 				return	  403;
 			}
 			add_header    Set-Cookie "ory_kratos_session=;Path=/;Max-Age=0;expires=Thu, 01 Jan 1970 00:00:00 GMT;";
+			add_header    Strict-Transport-Security   "max-age=31536000; includeSubDomains";
 			return        302 /auth/self-service/login/browser;
 		}