Unable to set the Strict-Transport-Security header on custom domain site

caribou · September 26, 2023, 3:42am

I’m following what is listed here on how to set the Strict-Transport-Security header.

My netlify.toml has the following:

[[headers]]
  for = "/*"
  [headers.values]
    X-Frame-Options = "DENY"
    X-Content-Type-Options = "nosniff"
    X-Permitted-Cross-Domain-Policies = "none"
    Cache-Control = "no-store"
    Strict-Transport-Security = "max-age=31536000; includeSubDomains;"

Yet on my custom domain https://ha-dash.staging.caribouadvisors.com/ the Strict-Transport-Security header is still is missing includeSubDomains. The netlify domain https://ha-dash-staging.netlify.app/ has both the includeSubDomains and preloaded directives.

How can I get this header deployed? I’ve confirmed that the other headers in the netlify.toml file are being deployed just fine. It’s just the Strict-Transport-Security header that won’t update.

audrey · September 28, 2023, 12:46am

Howdy @caribou and welcome!

I can see the max-age header value when I visit the custom domain but not includeSubDomains.

Could you try removing the last semicolon so it’ll look something like:

Strict-Transport-Security = "max-age=31536000; includeSubDomains"

and let us know if it helps?

caribou · September 28, 2023, 6:55am

Hi @audrey!

I tried removing the semicolon and it did not work. I even tried the below:

Strict-Transport-Security = "max-age=3000000"

And it didn’t change the max-age, it still said max-age=31536000. I also updated another header in the same deploy to make sure my changes were being pushed out and the other header updated successfully. So it just seems like the Strict-Transport-Security header isn’t able to be changed on my site.

fool · October 3, 2023, 3:18pm

Hi again @caribou and thanks for your patience while I worked with our networking team on this. Just got you opted into a feature flag that we will eventually roll out to our entire CDN to permit your override of this header. Please ensure that you set it in your custom header rules in _headers or netlify.toml (Custom headers | Netlify Docs) even if you use a dynamic framework such as next.js that requires you to set it in your code e.g. next.js.config as well. This will activate the feature fully.

Please let me know how it goes!

caribou · October 8, 2023, 3:11am

Thank you! It’s working perfectly now!

Topic		Replies	Views
Can't able to set HSTS headers through netlify.toml for a custom domain configured through Netlify Gatsby site Support netlify-dns-https-ssl , redirects , gatsby , headers	1	743	June 11, 2023
Security Headers - Adding `includeSubDomains` and `preload` to Strict-Transport Security header to sites with default domain name Updates netlify-dns-https-ssl	0	1064	July 29, 2020
Define strict-transport-security Header Cause Duplicate Headers Support security , headers	1	4626	December 14, 2020
Primary domain redirects do not support HSTS preload standard Support netlify-dns-https-ssl , redirects , headers	4	1201	October 18, 2022
Custom headers in netlify.toml not working Support headers	7	2599	December 15, 2021

Unable to set the Strict-Transport-Security header on custom domain site

Related topics