set $hsts_header_value "";

# Keep the same HTTP/HTTPS guard as hsts.conf. The only difference is the
# preload token, which should be enabled only after the whole domain tree is
# known to be HTTPS-only.
if ($scheme = "https") {
	set $hsts_header_value "max-age=31536000; includeSubDomains; preload";
}

add_header	Strict-Transport-Security $hsts_header_value always;