Missing HSTS Header on Azure App Service Java

Rafał Borowiak (Euvic) 5 Reputation points
2024-10-25T11:58:59.12+00:00

I have a Java 8 Spring Boot application with Embedded Web Server deployed as Azure App Service. Application is available under <myapp>.azurewebsites.net domain. My application adds HSTS (Strict-Transport-Security) header to it's HTTP responses. I verified that by issuing curl command from App Service SSH. From SSH inside App Service, I installed curl, and when I issue request I can see my header:

> curl http://0.0.0.0 -v 
< HTTP/1.1 200 
< Strict-Transport-Security: max-age=31536000 

However, when I try to do the same through <myapp>.azurewebsites.net domain the header is missing:

> curl https://<myapp>.azurewebsites.net -v 
< HTTP/1.1 200 
< <other headers visible but no Strict-Transport-Security> 

How can I add Strict-Transport-Security header to responses through <myapp>.azurewebsites.net ? It looks like some kind of reverse proxy is hiding that header, but I have no idea how to make it available.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,902 questions
{count} vote

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.