that header makes the trick; according to RFC 6797 on HTTP Strict Transport Security Policy Effects:
The effects of the HSTS Policy, as applied by a conformant HTTP user agent (UA) in interactions with a web resource host wielding such policy (known as an HSTS Host), are summarized as follows:
- UAs transform insecure URI references to an HSTS Host into secure URI references before dereferencing them.
- The UA terminates any secure transport connection attempts upon any and all secure transport errors or warnings.
I added also the ssl_session_cache directive as, according to nginx documentation on Configuring HTTPS servers:
The most CPU-intensive operation is the SSL handshake. There are two ways to minimize the number of these operations per client: the first is by enabling keepalive connections to send several requests via one connection and the second is to reuse SSL session parameters to avoid SSL handshakes for parallel and subsequent connections.
but, at least for me, it had no effect at all: nginx is using only around 1% CPU and that was mostly unchanged after that.