BUG: HSTS stopped working.

[cr3wdayt5p]

We enabled HSTS around 2024-08-29 but now (2024-10-10) it is no longer working. The header is no longer sent. This applies to both the *.azurewebsites.net domain and our custom domain.

We have made no other configuration changes in this period.

host.json:

{
    "version": "2.0",
    ...
    "extensions": {
        ...
        "http": {
            "hsts": {
                "isEnabled": true,
                "maxAge": "730",
                "includeSubDomains": true,
                "preload": true
            }
        }
    }
}

Runtime Stack: DOTNET-ISOLATED|8.0 Runtime Version: 4.1036.2.2 OS: Linux Plan: Premium V3 (App Service Plan) Region: North Europe

Docs for the HSTS setting can be found here: https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook?tabs=isolated-process%2Cfunctionsv2&pivots=programming-language-csharp#hostjson-settings

[bhagyshricompany]

Hi @cr3wdayt5p Thanks for reporting there may be this reason. If you're using a custom domain, double-check that your SSL certificate bindings are still in place and valid. HSTS requires a valid SSL certificate. If the certificate expired or was removed, the HSTS header won't be sent.

[cr3wdayt5p]

Hi @bhagyshricompany

The certificate is assigned by Azure and is still valid (expiration 2025-01-23). The custom domain binding has also not been touched and is valid (see image).

[cr3wdayt5p]

My guess is that your bug is related to either the App Service Environment plan or to the Linux host.

We have another Azure Function running on the Dynamic plan on a Windows host in the same region (North Europe) with identical HSTS configuration – and this works. That host is also running a slightly newer runtime (4.1036.3.23284).