How do I add HSTS headers to my nginx / react app on app engine flex?

Well, now i feel foolish.

All I had to do was add the following line in the right place:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

I was initially trying to add it just above the if ( $http_x_forwarded... part and I was also trying it with the always keyword at the end as well and my deploy kept failing with this line in it.

Anyway, it works!

the full resulting nginx.conf is as follows:

worker_processes 1;events {  worker_connections 1024;}http {  sendfile on;  tcp_nopush on;  tcp_nodelay on;  keepalive_timeout 65;  types_hash_max_size 2048;  include /etc/nginx/mime.types;  default_type application/octet-stream;  # Logs will appear on the Google Developer's Console   # when logged to this directory.  access_log /var/log/app_engine/app.log;  error_log /var/log/app_engine/app.log;  gzip on;  gzip_disable "msie6";  server {    listen 8080;    server_name localhost;    root /src/build;    if ( $http_x_forwarded_proto = 'http' ) {      return 301 https://$host$request_uri;    }    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";            location /nginx_status {      stub_status on;      access_log off;    }    location / {      try_files $uri $uri/ /index.html;    }  }}