Hey Traefik community,
we are using Traefik as a LoadBalancer in some customer project. The customer is using an external security scan provider to check their website for security vulnabilities. This scan gives out an error for port 80 which requests to set the HSTS header also for port 80 (it is correctly send on port 443).
We have a SSL redirect set up on the LoadBalancer using a middleware:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: stsheaders
namespace: default
spec:
headers:
browserXssFilter: true
contentTypeNosniff: true
customFrameOptionsValue: SAMEORIGIN
forceSTSHeader: true
frameDeny: true
sslRedirect: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
We have set forceSTSHeader to true, however the response is giving the 301 like it should, but not the HSTS header.
curl -v http://my-app.com
* Trying 1.2.3.4:80...
* Connected to my-app.com (1.2.4.5) port 80 (#0)
> GET / HTTP/1.1
> Host: my-app.com
> User-Agent: curl/7.77.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Content-Type: text/html; charset=utf-8
< Location: https://my-app.com/
< Date: Tue, 18 Jan 2022 14:27:44 GMT
< Content-Length: 56
<
<a href="https://my-app.com/">Moved Permanently</a>.
* Connection #0 to host my-app.com left intact
I hope someone can help.
Greetings Sven