Enable HSTS with Spring Boot does not work

Question

I have a spring boot application
I would like to enable HSTS

I added the documented settings to my SecurityConfiguration (see below), but HSTS header is not appearing.

What am I doing wrong?

@Slf4j
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.headers()
                .httpStrictTransportSecurity()
                .includeSubDomains(true)
                .preload(false)
                .maxAgeInSeconds(31536000);

I can't find the header in Chrome Developer Tools (F12 -> Network -> Headers -> Response Header) when accessing the page nor when testing with official site https://gf.dev/hsts-test

The spring boot application runs under http 8080, but a Dispatchserver runs https which routes the request to spring boot. I see the problem with http. Is there a way to tell Spring boot to set the HSTS Header also in case of http? — mcfly soft, Dec 15 '21 at 13:48

score 2 · Answer 1 · answered Dec 15 '21 at 14:20

By default, Spring Security only adds the HSTS header if the connection is secure (https). See the documentation.

However, you can change the RequestMatcher as you want, like so:

http.headers()
                .httpStrictTransportSecurity()
                .includeSubDomains(true)
                .preload(false)
                .maxAgeInSeconds(31536000)
                .requestMatcher(AnyRequestMatcher.INSTANCE);

Enable HSTS with Spring Boot does not work

1 Answers1