How to use HSTS for proxied http server

(谭九鼎) #1

I’m using caddy proxy a http-only apache httpd website.
I have successfully run the website with tls1.3, but I’d like to know how to enable HSTS. It seems works😂.

Here is my config: {
    proxy / {
        header_downstream Strict-Transport-Security "max-age=60; includeSubdomains;"
    tls null

OS: win server 2008
Caddy Version: 0.11.5

(Matthew Fay) #2

Hi @imba-tjd, welcome to the Caddy community.

As you noted in an edit, your configuration already sets HSTS (that’s the HTTP Strict-Transport-Security header). :smiley:

A few things of note:

  • You aren’t currently setting preload; - that means that your site will likely not be added to the built-in browser preload lists.
  • You’ve got a max age of 60 - that’s in seconds, so a browser is going to “forget” the HSTS policy a minute after they browse away from your site. Far more commonly you see people set the HSTS header expiry for a year, i.e. 31536000 seconds.

(谭九鼎) #3

Thanks, I know them. It’s normal.:grin:

(Matt Holt) #4

I believe you still have to submit it manually, IIRC.

(Matthew Fay) #5

Ahh, you’re right! To get preloaded, you serve the header with preload;, then submit the site for inclusion.

Removing the preload; part later on makes you eligible to submit the removal form and might have you automatically removed at some point, but it looks like they never automatically add you.