How to use HSTS for proxied http server

I’m using caddy proxy a http-only apache httpd website.
I have successfully run the website with tls1.3, but I’d like to know how to enable HSTS. It seems works😂.

Here is my config: {
    proxy / {
        header_downstream Strict-Transport-Security "max-age=60; includeSubdomains;"
    tls null

OS: win server 2008
Caddy Version: 0.11.5

Hi @imba-tjd, welcome to the Caddy community.

As you noted in an edit, your configuration already sets HSTS (that’s the HTTP Strict-Transport-Security header). :smiley:

A few things of note:

  • You aren’t currently setting preload; - that means that your site will likely not be added to the built-in browser preload lists.
  • You’ve got a max age of 60 - that’s in seconds, so a browser is going to “forget” the HSTS policy a minute after they browse away from your site. Far more commonly you see people set the HSTS header expiry for a year, i.e. 31536000 seconds.

Thanks, I know them. It’s normal.:grin:

1 Like

I believe you still have to submit it manually, IIRC.

Ahh, you’re right! To get preloaded, you serve the header with preload;, then submit the site for inclusion.

Removing the preload; part later on makes you eligible to submit the removal form and might have you automatically removed at some point, but it looks like they never automatically add you.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.