set $hsts_header_value "";

# Only emit HSTS on HTTPS responses. This lets a single server block listen on
# both 80 and 443 without sending a meaningless STS header over plain HTTP.
if ($scheme = "https") {
	set $hsts_header_value "max-age=31536000; includeSubDomains";
}

add_header	Strict-Transport-Security $hsts_header_value always;