Missing HSTS Header on Azure App Service Java
I have a Java 8 Spring Boot application with Embedded Web Server deployed as Azure App Service. Application is available under <myapp>.azurewebsites.net domain. My application adds HSTS (Strict-Transport-Security) header to it's HTTP responses. I verified that by issuing curl command from App Service SSH. From SSH inside App Service, I installed curl, and when I issue request I can see my header:
> curl http://0.0.0.0 -v
< HTTP/1.1 200
< Strict-Transport-Security: max-age=31536000
However, when I try to do the same through <myapp>.azurewebsites.net domain the header is missing:
> curl https://<myapp>.azurewebsites.net -v
< HTTP/1.1 200
< <other headers visible but no Strict-Transport-Security>
How can I add Strict-Transport-Security header to responses through <myapp>.azurewebsites.net ? It looks like some kind of reverse proxy is hiding that header, but I have no idea how to make it available.