With SSL getting pretty cheap through some providers and many guides offering easy instructions to get going on setting up, be sure to approach with caution.
It’s all very good information available there.
There is one line that you should be very cautious about understanding properly:
# Add HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
HSTS is a very good idea and the browser support is really good. You should definitely implement it.
What you need to be careful with is
It may be a good idea in the context of your website, but take this case scenario:
- You store the media assets for your website – eg. some eCommerce website called shithotwatches.com – on Amazon S3
- You’ve setup a CNAME alias on your domain to map to your S3 storage – e.g. media.shithotwatches.com
- All your images (or other assets) on shithotwatches.com uses media.shithotwatches.com urls
This will totally break the images on your website. Because the top authority (your website) says that all subdomains should be rewritten to SSL, the browser will automatically redirect all the embedded images url from
https://media.shithotwatches.com and S3 does not support SSL on custom domains.
Effectively, most browsers will then fail to render the assets because of mismatched certificates.
So you then have these options:
Take out includeSubdomains
Use the full S3 bucket name address as the S3 ssl certificate works for those addresses
Use something like CloudFront to deliver the images (extra costs involved)