I want to enable HSTS globally for all sites can i do this with Caddy? I am running Caddy v2.10.2
I do not think there is a global setting for that.
HSTS, on the server side, is basically a specific HTTP response header, so what you can do, and what I am doing on my Caddy setup as well, is something like this:
## Enable HSTS
(headers_hsts) {
header {
Strict-Transport-Security max-age=16070400
}
}
## Enable HSTS (include subdomains)
(headers_hsts_subdomains) {
header {
Strict-Transport-Security max-age=1607040; includeSubDomains
}
}
www.example.com {
import headers_hsts
...
}
example2.com {
import headers_hsts_subdomains
...
}
With headers_hsts, HSTS is enabled only for www.example.com. With headers_hsts_subdomains, it applies to example2.com and any subdomain, after the client has visited example2.com.
2 Likes