0

I'm using Spring Boot (Spring version 5.2.9) and have it deployed to Azure App Service (linux server). I have it set so it's using HTTPS only under the TLS/SSL settings in Azure. I am unable to see the HSTS header being set in responses.

When I run the app locally using a self-signed cert under HTTPS, I am able to see the HSTS header just fine. The issue is when it's deployed out to Azure that I'm unable to see it.

Is there something extra I need to do to get this header to appear in an Azure app service?

HTTPS Only Enabled in Azure

Code from Security Configuation:

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .headers()
                .httpStrictTransportSecurity()
                    .includeSubDomains(true)
                    .maxAgeInSeconds(31536000)
                .and()
            .and()
            .authorizeRequests()
                .mvcMatchers("/api/**").authenticated()
                .mvcMatchers("**").permitAll()
            .and()
                .cors()
            .and()
                .csrf().disable()
                .oauth2ResourceServer().jwt();
    }
}
Michelle
  • 1
  • 2
  • According to Spring Security documentation, the HSTS header is only injected in HTTPS responses in accordance with the RFC6797 (https://docs.spring.io/spring-security/site/docs/current/reference/html5/#headers-hsts). I don't know much about Azure, but maybe the server in which the app is installed isn't really responding in HTTPS and that is why is not including the header. Try this please, browse your app from the same server in which it's installed and check: 1. I'ts HTTPS. 2. It's including the header or not – Enmanuel Rodríguez Paz Mar 13 '21 at 04:07
  • It's using HTTPS. I have HTTPS Only enabled which redirects all HTTP traffic to HTTPS. If I access the app over HTTPS, the HSTS is still missing. – Michelle Mar 14 '21 at 05:32

0 Answers0