From 9054290e071faf01f95fd3ae018cc7f929f1ffbe Mon Sep 17 00:00:00 2001
From: Robert Lemke <robert@flownative.com>
Date: Thu, 3 Mar 2022 16:40:53 +0100
Subject: [PATCH] Introduce NGINX_STRICT_TRANSPORT_SECURITY_MAX_AGE

---
 README.md                                     | 1 +
 root-files/opt/flownative/lib/nginx-legacy.sh | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index c06083d..9ac636d 100644
--- a/README.md
+++ b/README.md
@@ -61,6 +61,7 @@ for possible values. The default value is `warn`.
 | NGINX_STATIC_ROOT                        | string  | /var/www/html                         | Document root path for when BEACH_NGINX_MODE is "Static"                                            |
 | NGINX_STRICT_TRANSPORT_SECURITY_ENABLE   | boolean | no                                    | If Strict-Transport-Security headers should be sent (HSTS)                                          |
 | NGINX_STRICT_TRANSPORT_SECURITY_PRELOAD  | boolean | no                                    | If site should be added to list of HTTPS-only sites by Google and others                            |
+| NGINX_STRICT_TRANSPORT_SECURITY_MAX_AGE  | boolean | 31536000                              | Maxmimum age for Strict-Transport-Security header, if enabled                                       |
 | NGINX_AUTH_BASIC_REALM                   | string  | off                                   | Realm for HTTP Basic Authentication; if "off", authentication is disabled                           |
 | NGINX_AUTH_BASIC_USERNAME                | string  |                                       | Username for HTTP Basic Authentication                                                              |
 | NGINX_AUTH_BASIC_ENCODED_HASHED_PASSWORD | string  |                                       | Base64-encoded hashed password (using httpasswd) for HTTP Basic Authentication                      |
diff --git a/root-files/opt/flownative/lib/nginx-legacy.sh b/root-files/opt/flownative/lib/nginx-legacy.sh
index 8fde553..c816ab1 100644
--- a/root-files/opt/flownative/lib/nginx-legacy.sh
+++ b/root-files/opt/flownative/lib/nginx-legacy.sh
@@ -60,6 +60,7 @@ export NGINX_CUSTOM_ERROR_PAGE_TARGET=${NGINX_CUSTOM_ERROR_PAGE_TARGET:-${BEACH_
 
 export NGINX_STRICT_TRANSPORT_SECURITY_ENABLE=${NGINX_STRICT_TRANSPORT_SECURITY_ENABLE:-no}
 export NGINX_STRICT_TRANSPORT_SECURITY_PRELOAD=${NGINX_STRICT_TRANSPORT_SECURITY_PRELOAD:-no}
+export NGINX_STRICT_TRANSPORT_SECURITY_MAX_AGE=${NGINX_STRICT_TRANSPORT_SECURITY_MAX_AGE:-31536000}
 
 export NGINX_AUTH_BASIC_REALM=${NGINX_AUTH_BASIC_REALM:-off}
 export NGINX_AUTH_BASIC_USERNAME=${NGINX_AUTH_BASIC_USERNAME:-}
@@ -128,12 +129,12 @@ EOM
         if is_boolean_yes "${NGINX_STRICT_TRANSPORT_SECURITY_PRELOAD}"; then
             info "Nginx: Enabling Strict Transport Security with preloading ..."
     cat >>"${NGINX_CONF_PATH}/sites-enabled/site.conf" <<-EOM
-            add_header Strict-Transport-Security "max-age=31536000; preload" always;
+            add_header Strict-Transport-Security "max-age=${NGINX_STRICT_TRANSPORT_SECURITY_MAX_AGE}; preload" always;
 EOM
         else
             info "Nginx: Enabling Strict Transport Security without preloading ..."
     cat >>"${NGINX_CONF_PATH}/sites-enabled/site.conf" <<-EOM
-            add_header Strict-Transport-Security "max-age=31536000" always;
+            add_header Strict-Transport-Security "max-age=${NGINX_STRICT_TRANSPORT_SECURITY_MAX_AGE}" always;
 EOM
         fi
     fi