Unable to set the Strict-Transport-Security header on custom domain site

I’m following what is listed here on how to set the Strict-Transport-Security header.

My netlify.toml has the following:

  for = "/*"
    X-Frame-Options = "DENY"
    X-Content-Type-Options = "nosniff"
    X-Permitted-Cross-Domain-Policies = "none"
    Cache-Control = "no-store"
    Strict-Transport-Security = "max-age=31536000; includeSubDomains;"

Yet on my custom domain https://ha-dash.staging.caribouadvisors.com/ the Strict-Transport-Security header is still is missing includeSubDomains. The netlify domain https://ha-dash-staging.netlify.app/ has both the includeSubDomains and preloaded directives.

How can I get this header deployed? I’ve confirmed that the other headers in the netlify.toml file are being deployed just fine. It’s just the Strict-Transport-Security header that won’t update.

Howdy @caribou and welcome! :cowboy_hat_face:

I can see the max-age header value when I visit the custom domain but not includeSubDomains.

Could you try removing the last semicolon so it’ll look something like:

Strict-Transport-Security = "max-age=31536000; includeSubDomains"

and let us know if it helps?

Hi @audrey!

I tried removing the semicolon and it did not work. I even tried the below:

Strict-Transport-Security = "max-age=3000000"

And it didn’t change the max-age, it still said max-age=31536000. I also updated another header in the same deploy to make sure my changes were being pushed out and the other header updated successfully. So it just seems like the Strict-Transport-Security header isn’t able to be changed on my site.

Hi again @caribou and thanks for your patience while I worked with our networking team on this. Just got you opted into a feature flag that we will eventually roll out to our entire CDN to permit your override of this header. Please ensure that you set it in your custom header rules in _headers or netlify.toml (Custom headers | Netlify Docs) even if you use a dynamic framework such as next.js that requires you to set it in your code e.g. next.js.config as well. This will activate the feature fully.

Please let me know how it goes!

Thank you! It’s working perfectly now!