This is an issue I have been fighting with for days, but I could not find any help on stackoverflow, not even close to it. I hope to help people with similar issues in the future. Any elaboration on this question/answer is very much welcome.
I have been trying to set STS-headers to http-requests when using Traefik as a proxy in a Docker environment. Somehow, no matter how I try to set the headers, my browser (Google Chrome) ignores them. What am I doing wrong?
I have been fighting with HSTS headers in Traefik for multiple days, when I learned something important about HSTS:
Your browser will ignore any STS headers when the certificate you are using is considered not trustworthy/safe by your browser. You can verify this (in Chrome) with the security tab in the developer tools.
For HSTS (HTTP Strict Transport Security) to work, I had to solve the next few things in my particular scenario:
The certificate I was using for development, was self-signed and installed onto my machine. But because it was self-signed, it was not put in the "Trusted Root Certification Authorities" directory. My browser complained that it could not find my certificate in that directory, so I had to put it there, otherwise the browser will still consider the certificate unsafe. Note that this was only meant for development purposes, official certificates were on the way.
At first I created my certificate, putting my domain in the CN (Common Name) section. Nowadays, browser kinda ignore that section and look for SAN (Subject Alternative Names). I had to create a new certificate with my domain in that section.
Those two things were the things I missed, after solving those, my STS headers (used in docker-compose service labels) were working. The labels (Traefik v1.7) look as following:
my_service:
deploy:
labels:
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.STSSeconds=31536000"
Hope it helps anybody.