I’m using caddy proxy a http-only apache httpd website.
I have successfully run the website with tls1.3, but I’d like to know how to enable HSTS. It seems works😂.
As you noted in an edit, your configuration already sets HSTS (that’s the HTTP Strict-Transport-Security header).
A few things of note:
You aren’t currently setting preload; - that means that your site will likely not be added to the built-in browser preload lists.
You’ve got a max age of 60 - that’s in seconds, so a browser is going to “forget” the HSTS policy a minute after they browse away from your site. Far more commonly you see people set the HSTS header expiry for a year, i.e. 31536000 seconds.
Ahh, you’re right! To get preloaded, you serve the header with preload;, then submit the site for inclusion.
Removing the preload; part later on makes you eligible to submit the removal form and might have you automatically removed at some point, but it looks like they never automatically add you.