Http-https redirect does not provide sts headers

I have a global http-https redirect in place. I also have a couple of default headers, that are added to all my routers through a default middleware. The config looks somewhat like this:

staticconfig:

...
entryPoints:
  web:
    address: :80
    http:
      middlewares:
        - default-headers@file
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
  websecure:
    address: :443
    http:
      middlewares:
        - default-headers@file
      tls: true
``.

dynamicconfig:

...
http:
  middlewares:
    default-headers:
      headers:
        stsSeconds: 315360000
        stsIncludeSubdomains: true
        customFrameOptionsValue: SAMEORIGIN
        contentTypeNosniff: true
        customResponseHeaders:
          Server: ""
          X-Application-Context: ""
          X-Powered-By: ""
          exception: ""
...

Unfortunately this does not seem to set all headers on the http endpoints. Especially the hsts header is missing which provides a security issue, as it might allow mitm attacks:

razr@nb [~]
-> % curl -L -I http://www.mydomain.com
HTTP/1.1 308 Permanent Redirect
Location: https://www.mydomain.com/
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Date: ...
Content-Length: 18
Content-Type: text/plain; charset=utf-8

HTTP/2 200
accept-ranges: bytes
content-type: text/html
date: ...
etag: "60e584c1-231"
last-modified: ...
strict-transport-security: max-age=315360000; includeSubDomains
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
content-length: 561

razr@nb [~]
-> %

Is it possible somehow to enable all the same headers on the http endpoints as well?

Thanks in advance!

Hello @razr,

The HSTS headers are often not added to HTTP responses, as they are often ignored by browsers in an HTTP response: (Strict-Transport-Security - HTTP | MDN).

If you want to force the HSTS headers to be added to your http response, you can use the forceSTSHeader option in the headers middlewares: (Headers - Traefik)

Hey @daniel.tomcej ,

thanks for the fast response!

Works like a charm! Could have found this in the docu myself. Thought I had a look there, but did not stumble upon that. Thanks a lot!