1

I'm trying to enable HSTS in my Spring Boot application. I've added the following to my WebSecurityConfig (based on Enable HTTP Strict Transport Security (HSTS) with spring boot application):

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
    protected void configure(HttpSecurity http) throws Exception
    {
        // Other http configurations, e.g. authorizeRequests and CSRF
        // ...

        http.headers().httpStrictTransportSecurity()
            .maxAgeInSeconds(Duration.ofDays(365L).getSeconds())
            .includeSubDomains(true);
    }
}

I do get the strict-transport-security header when in HTTPS requests, but the max-age is always 0:

strict-transport-security: max-age=0; includeSubDomains

I'm getting the exact same header if I don't add the Spring configuration, so it looks my configuration is not being picked up. It appears to be specific to the HSTS configuration, because the other configurations, e.g. http.authorizeRequests(), are working. That seems to indicate that the HSTS configuration is somehow being overwritten, especially when considering that Spring's default max-age is one year. However, I've been able to find any other HSTS-related configuration in our codebase.

I also tried setting a breakpoint in o.springframework.s.c.a.w.c.HeadersConfigurer.HstsConfig#maxAgeInSeconds to check whether it's being called more than once. My call from configure was the only invocation.

Does anyone know why my HSTS configuration is not used? Or do you have any other ideas on how to debug this?

Bjørn Vårdal
  • 174
  • 2
  • 11

1 Answers1

0

Turns out that this was caused by a Cloudflare configuration that rewrote the header and set the max-age to 0.

It was also easier to update the Cloudflare configuration than to update the configuration in every micro-service.

Bjørn Vårdal
  • 174
  • 2
  • 11