Can't able to set HSTS headers through netlify.toml for a custom domain configured through Netlify Gatsby site


I set the headers in netlify.toml file to enable HSTS as shown in the link HTTPS (SSL) | Netlify Docs

netlify site name:
custom domain:


for = “/*”
Testing = “MP”
Strict-Transport-Security = “max-age=63072000; includeSubDomains; preload”
StrictTransportSecurity = “max-age=63072000; includeSubDomains; preload”

And I’ve also given additional custom headers just to check whether custom headers are actually being added by Netlify or not. But Netlify is adding all the custom headers except the required one i.e. Strict-Transport-Security = “max-age=63072000; includeSubDomains; preload”, I’m not sure why it’s omitting the HSTS custom header in the deployment post-processing. I tested the same by creating a dummy site with the same netlify.toml config, it’s working over there. This is the dummy site where HSTS custom header working just fine. I have no clue why the HSTS custom header getting omitted in my case for the site

I’m looking for help over here.


You’re using Cloudflare, so I’m pretty sure the problem is happening on that end. The subdomain works fine.

1 Like