I have a global http-https redirect in place. I also have a couple of default headers, that are added to all my routers through a default middleware. The config looks somewhat like this:
... entryPoints: web: address: :80 http: middlewares: - default-headers@file redirections: entryPoint: to: websecure scheme: https permanent: true websecure: address: :443 http: middlewares: - default-headers@file tls: true ``.
... http: middlewares: default-headers: headers: stsSeconds: 315360000 stsIncludeSubdomains: true customFrameOptionsValue: SAMEORIGIN contentTypeNosniff: true customResponseHeaders: Server: "" X-Application-Context: "" X-Powered-By: "" exception: "" ...
Unfortunately this does not seem to set all headers on the http endpoints. Especially the hsts header is missing which provides a security issue, as it might allow mitm attacks:
razr@nb [~] -> % curl -L -I http://www.mydomain.com HTTP/1.1 308 Permanent Redirect Location: https://www.mydomain.com/ X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Date: ... Content-Length: 18 Content-Type: text/plain; charset=utf-8 HTTP/2 200 accept-ranges: bytes content-type: text/html date: ... etag: "60e584c1-231" last-modified: ... strict-transport-security: max-age=315360000; includeSubDomains x-content-type-options: nosniff x-frame-options: SAMEORIGIN content-length: 561 razr@nb [~] -> %
Is it possible somehow to enable all the same headers on the http endpoints as well?
Thanks in advance!