HSTS enabled by default

Description:

The NGINX page config states that an HSTS header should be sent even when a self-signed certificate is present. This blocks the usage of the newly installed Jitsi instance until a Let’s Encrypt certificate (or any other valid certificate) is deployed.

Steps to reproduce:

1. Install Jitsi as described in the official quick start documentation (https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart)
2. Try opening your servers Jitsi URL without installing a Let’s Encrypt certificate prior to accessing the URL.

Expected behavior:

If a self-signed certificate is present on the host the HSTS header should not be sent since it will prevent access to the page with most browsers otherwise. Jitsi should be able to run with a self-signed certificate by default.

Actual behavior:

The HSTS header is set no matter what type of certificate is used. This is due to the line add_header Strict-Transport-Security "max-age=63072000" always; within the file /etc/nginx/sites-available/<domain>.conf

Server information:

• Jitsi Meet version: jitsi-meet:all/stable 2.0.5142-1
• Operating System: Distributor ID: Debian Description: Debian GNU/Linux 10 (buster) Release: 10 Codename: buster

Client information:

• Browser / app version: Google Chrome Version 87.0.4280.141 (Offizieller Build) (64-Bit)
• Operating System: Microsoft Windows Version 1909 (OS Build 18363.1256)

Additional information:

FYI: I seared the template file within all repos this organization has but couldn’t find one. I’ll leave that up to you.