I am serving an App Engine Standard Java 11 runtime behind a GCP API Gateway. The application uses Spring Security to set security headers. I want to enable Strict-Transport-Security header in my responses but even tough the header is enabled by Spring Security by default the responses from API GW doesn't include the header. Is there any way to enable Strict-Transport-Security on API GW?
Asked
Active
Viewed 856 times
1 Answers
0
The HTTP strict transport security (HSTS) web security policy mechanism helps to protect websites against attacks by forcing users to communicate with servers through HTTPS only. When users send HTTP requests to the server, it responds with a Strict-Transport-Security response header for a length of time specified in seconds. In the response header this length of time is depicted as the max-age attribute.
The standard way to set the Strict-Transport-Security header in your responses use:
Strict-Transport-Security: max-age=31536000; includeSubDomains
In addition, when enabling the Cloud API Gateway, the openAPI YAML file must be uploaded.
At this point, there can be two possible scenarios:
The Strict-Transport-Security header is not not configured successfully. In this case, it would be helpful to double check the App Engine direct response (When not using the Cloud API Gateway). This would make sure the App Engine is properly configured for outputting the header.
As in the GitHub link, there are no settings that might strip the Strict-Transport-Security header from the requests. But it would be worth double checking the YAML file to determine if there are any settings that might be modifying this header flag.
If the above two troubleshooting steps do not work, try opening a bug.
Mousumi Roy
- 609
- 1
- 6
-
I have modified the answer. Can you check if that helps? – Mousumi Roy Apr 05 '22 at 05:28