How to configure HTTP Strict Transport Security (HSTS) on your project


Enable HSTS on your project. Read more about HSTS on Wikipedia.


You will need:

  • A local git repository that has the project as a git remote
  • A working application setup on the project

This how-to works whether you use the auto-generated domains on or your own custom domain.


1. Check https is enabled

The ./.platform/routes.yaml should contain only the https directive:

    type: upstream
    upstream: app:http

2. Add the strict_transport_security configuration item to your route file:


    type: upstream
    upstream: app:http
            enabled: true
            include_subdomains: true
            preload: true

Please refer to the documentation for details about the different parameters.

3. Commit and deploy the change

git add .platform/routes.yaml
git commit -m "Enable HSTS"
git push platform master

4. Check HSTS is enabled

Check the response headers being sent by the server. This can checked with the browser console or curl:

$ curl -I https://master-7rqtwti-<project id>.<region>
HTTP/2 200
strict-transport-security: max-age=31536000; includeSubDomains; preload

Any request to the http endpoint will be upgraded to https:

$ curl -I http://master-7rqtwti-<project id>.<region>
HTTP/1.1 301 Moved Permanently
Location: https://master-7rqtwti-<project id>.<region>
Strict-Transport-Security: max-age=0


As configuration already includes the strict_transport_security parameter, enabling HSTS was a simple configuration change without the need to customize the response directly in your application.