fix: resolve false positives in hsts_header and ssl_prefer_server_ciphers checks

HSTS: recognize `security_headers on` (ngx_security_headers module) and
`more_set_headers` setting Strict-Transport-Security as valid HSTS providers,
eliminating false "Missing HSTS header" warnings.

ssl_prefer_server_ciphers: invert the check — flag `on` (LOW) instead of
`off` (MEDIUM). All authoritative sources (Mozilla, nginx maintainers)
recommend `off` for modern cipher lists where all ciphers are strong AEAD;
client preference improves performance for mobile clients without AES-NI.

Author: dvershinin

docs/en/checks/hsts-header.md

@@ -57,3 +57,5 @@ http {
 ## Notes
 
 - Servers configured with `ssl_reject_handshake on;` are skipped, because they never emit HTTP response headers.
+- The [`ngx_security_headers`](https://github.com/GetPageSpeed/ngx_security_headers) module (`security_headers on;`) is recognized as providing HSTS — no separate `add_header` is required.
+- The `more_set_headers` directive (from the [headers-more](https://github.com/openresty/headers-more-nginx-module) module) setting `Strict-Transport-Security` is also recognized.

docs/en/checks/weak-ssl-tls.md

@@ -37,7 +37,7 @@ Detects cipher suites that should be avoided:
 - **MD5-based ciphers** - Weak hash function
 
 ### 3. Server Cipher Preference
-Detects when `ssl_prefer_server_ciphers` is disabled, allowing clients to choose potentially weaker ciphers.
+Detects when `ssl_prefer_server_ciphers` is set to `on`. With modern cipher lists containing only strong AEAD ciphers, server cipher preference is unnecessary and may hurt performance — mobile clients without AES-NI hardware benefit from choosing ChaCha20-Poly1305 over AES-GCM. Both [Mozilla](https://ssl-config.mozilla.org/) and nginx maintainers recommend `off`.
 
 ## Examples
 
@@ -59,6 +59,15 @@ server {
 ```
 **Issue**: `Weak ciphers found: RC4, DES, 3DES`
 
+### ❌ Bad: Server cipher preference enabled
+```nginx
+server {
+    listen 443 ssl;
+    ssl_prefer_server_ciphers on;  # Unnecessary with modern cipher lists
+}
+```
+**Issue**: `Server cipher preference enabled unnecessarily` (LOW)
+
 ### ✅ Good: Secure configuration
 ```nginx
 server {
@@ -70,8 +79,8 @@ server {
     # Mozilla Intermediate cipher suite
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 
-    # Server chooses cipher
-    ssl_prefer_server_ciphers on;
+    # Client chooses cipher (recommended by Mozilla)
+    ssl_prefer_server_ciphers off;
 
     # HSTS is checked by the dedicated `hsts_header` plugin.
 }

gixy/plugins/hsts_header.py

@@ -63,7 +63,7 @@ def post_audit(self, root):
                 server_add_headers if server_add_headers else http_add_headers
             )
 
-            self._check_hsts(server_block, effective_add_headers)
+            self._check_hsts(server_block, http_block, effective_add_headers)
 
     def _server_has_ssl(self, server_block):
         for listen_dir in server_block.find("listen"):
@@ -76,7 +76,34 @@ def _server_rejects_handshake(self, server_block):
         ssl_reject = server_block.some("ssl_reject_handshake")
         return bool(ssl_reject and ssl_reject.args and ssl_reject.args[0] == "on")
 
-    def _check_hsts(self, server_block, add_headers):
+    def _has_security_headers_module(self, server_block, http_block):
+        """Check if security_headers directive is enabled in server or http block."""
+        for block in (server_block, http_block):
+            if block is None:
+                continue
+            directive = block.some("security_headers")
+            if directive and directive.args and directive.args[0] == "on":
+                return True
+        return False
+
+    def _has_more_set_headers_hsts(self, server_block, http_block):
+        """Check if more_set_headers sets Strict-Transport-Security in server or http block."""
+        for block in (server_block, http_block):
+            if block is None:
+                continue
+            for directive in block.find("more_set_headers"):
+                for header_name in directive.headers:
+                    if header_name.lower() == "strict-transport-security":
+                        return True
+        return False
+
+    def _check_hsts(self, server_block, http_block, add_headers):
+        # Skip if security_headers module or more_set_headers provides HSTS
+        if self._has_security_headers_module(server_block, http_block):
+            return
+        if self._has_more_set_headers_hsts(server_block, http_block):
+            return
+
         hsts_directive = None
         for add_header in add_headers:
             if (

gixy/plugins/weak_ssl_tls.py

@@ -4,7 +4,7 @@
 Checks for:
 - Outdated protocols (SSLv2, SSLv3, TLSv1, TLSv1.1)
 - Weak cipher suites
-- Insecure ssl_prefer_server_ciphers settings
+- Unnecessary ssl_prefer_server_ciphers on
 """
 
 import gixy
@@ -180,20 +180,22 @@ def _check_ciphers(self, directive):
             )
 
     def _check_prefer_server_ciphers(self, directive):
-        """Check if ssl_prefer_server_ciphers is properly configured."""
-        if directive.args and directive.args[0] == "off":
+        """Check if ssl_prefer_server_ciphers is unnecessarily enabled."""
+        if directive.args and directive.args[0] == "on":
             self.add_issue(
-                severity=gixy.severity.MEDIUM,
+                severity=gixy.severity.LOW,
                 directive=[directive, directive.parent],
-                summary="Server cipher preference disabled",
-                reason="ssl_prefer_server_ciphers is off, allowing clients to choose ciphers. "
-                "This may result in weaker cipher selection if the client prefers insecure options.",
+                summary="Server cipher preference enabled unnecessarily",
+                reason="ssl_prefer_server_ciphers is on, forcing server cipher order. "
+                "With modern cipher lists (all strong AEAD ciphers), client cipher preference "
+                "improves performance — mobile clients without AES-NI benefit from choosing "
+                "ChaCha20-Poly1305 over AES-GCM. Mozilla and nginx maintainers recommend off.",
                 fixes=[
                     self.make_fix(
-                        title="Enable server cipher preference",
-                        search="ssl_prefer_server_ciphers off",
-                        replace="ssl_prefer_server_ciphers on",
-                        description="Let the server choose the strongest cipher",
+                        title="Disable server cipher preference",
+                        search="ssl_prefer_server_ciphers on",
+                        replace="ssl_prefer_server_ciphers off",
+                        description="Let clients choose the most efficient cipher",
                     ),
                 ],
             )

tests/integration/wordpress_production.conf

@@ -61,7 +61,7 @@ http {
 
     # SSL settings (global defaults)
     ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_prefer_server_ciphers on;
+    ssl_prefer_server_ciphers off;
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
     ssl_session_cache shared:SSL:10m;
     ssl_session_timeout 1d;

tests/plugins/simply/hsts_header/more_set_headers_hsts_fp.conf

@@ -0,0 +1,6 @@
+http {
+    server {
+        listen 443 ssl;
+        more_set_headers "Strict-Transport-Security: max-age=31536000";
+    }
+}

tests/plugins/simply/hsts_header/security_headers_http_fp.conf

@@ -0,0 +1,6 @@
+http {
+    security_headers on;
+    server {
+        listen 443 ssl;
+    }
+}

tests/plugins/simply/hsts_header/security_headers_on_fp.conf

@@ -0,0 +1,6 @@
+http {
+    server {
+        listen 443 ssl;
+        security_headers on;
+    }
+}

tests/plugins/simply/weak_ssl_tls/prefer_off.conf

@@ -0,0 +1 @@
+ssl_prefer_server_ciphers on;