Strict Transport Security header not being set in 3xx responses

[faustdio-dico]

Environment info:

• KrakenD version: 2.7.0
• System info: Linux 5.15.0-1067-azure x86_64
• Backend technology: Java
• Additional environment information: Runs inside Kubernetes cluster, internal communication using HTTP and HTTPS for client communication

Describe the bug

It seems that Krakend is not sending the Strict Transport Security http header for redirect responses (e.g. 301), which is unexpected to us since the header is working for all other responses(2xx, 4xx, 5xx). In our config, we disabled the automatic redirection and we expected the header to be present in 3xx responses.

Your configuration file:

{
  {
  "$schema": "https://www.krakend.io/schema/v2.7/krakend.json",
  "version": 3,
  "extra_config": {
    "router": {
      "return_error_msg": true,
      "auto_options": true,
      "disable_redirect_fixed_path": true,
      "disable_redirect_trailing_slash": false,
      "disable_path_decoding": false,
      "remove_extra_slash": false,
      "disable_handle_method_not_allowed": false,
      "logger_skip_paths": [
        "/__health"
      ],
      "disable_access_log": true
    },
    "auth/validator": {
      "shared_cache_duration": 900
    },
    "security/http": {
      "force_sts_header": true,
      "sts_include_subdomains": true,
      "sts_seconds": 31536000
    },
    ...
}
}

Expected behavior We expected the Strict Transport Security http header for redirect responses to be present since it goes through our krakend api-gateway.

[alombarte]

Someone more experienced than me can jump in, but as far as I remember, you had to set ssl_host and ssl_redirect to support proper 301. Also, the STS header is sent ONLY on verified HTTPS connections. If you need the STS header for all HTTP and HTTPS requests (which you shouldn't), you can use the force_sts_header, but if is_development is true during your testing phase, it will still disable this header ignoring the force_sts_header.