I have a global http-https redirect in place. I also have a couple of default headers, that are added to all my routers through a default middleware. The config looks somewhat like this:
staticconfig:
...
entryPoints:
web:
address: :80
http:
middlewares:
- default-headers@file
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: :443
http:
middlewares:
- default-headers@file
tls: true
``.
dynamicconfig:
...
http:
middlewares:
default-headers:
headers:
stsSeconds: 315360000
stsIncludeSubdomains: true
customFrameOptionsValue: SAMEORIGIN
contentTypeNosniff: true
customResponseHeaders:
Server: ""
X-Application-Context: ""
X-Powered-By: ""
exception: ""
...
Unfortunately this does not seem to set all headers on the http endpoints. Especially the hsts header is missing which provides a security issue, as it might allow mitm attacks:
razr@nb [~]
-> % curl -L -I http://www.mydomain.com
HTTP/1.1 308 Permanent Redirect
Location: https://www.mydomain.com/
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Date: ...
Content-Length: 18
Content-Type: text/plain; charset=utf-8
HTTP/2 200
accept-ranges: bytes
content-type: text/html
date: ...
etag: "60e584c1-231"
last-modified: ...
strict-transport-security: max-age=315360000; includeSubDomains
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
content-length: 561
razr@nb [~]
-> %
Is it possible somehow to enable all the same headers on the http endpoints as well?
Thanks in advance!