How to set HSTS header in HAProxy
Environment
- Red Hat Enterprise Linux (RHEL) 7.9
- HAProxy
Issue
- Security scanner detects vulnerability
HSTS Missing From HTTPS Server (RFC 6797)
- Protocol = TCP, Port = 443
- The security scanner reports
The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header
Resolution
- Set the following in
frontend
section (/etc/haproxy/haproxy.cfg):
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
- Restart haproxy and confirm the status:
# systemctl restart haproxy
# systemctl status haproxy -l
Refer to the following HAProxy blog for more information:
HAProxy & HTTP Strict Transport Security (HSTS)
Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments