The Trellis docs claim that deploying SSL via Trellis’ deploy script should bring an A+ grade from SSL Labs (and indeed roots.io does). My site, however, only scores an A. It looks like the difference is that the deploy did not set up HSTS headers on my site . Is this by design or did I skip a step? The docs make it seem like all that needs to happen is to include your cert and keyfile.
HSTS header is added here: https://github.com/roots/trellis/blob/6c8d8919dc2c71642f3827945e9a326f464c315d/roles/wordpress-setup/templates/wordpress-site.conf.j2#L41
It’s under the SSL conditional so if you have SSL working then the header should be there. You can verify it’s in that file on your server.
So this is weird. Here’s the response headers for the main site request:
there’s no HSTS header returned.
BUT, if you look at a request for an asset on the server:
HSTS header included.
I’m a bit new to SSL certificates, and i also had “A” when tested but thought that it was because i bought that kind of SSL cert (comodo - positive ssl from NameCheap).