I'm running the latest 1.5 release.

Our site runs primarily on the `www` subdomain, but we want to enable HSTS for
all subdomains (includeSubdomains). Unfortunately, due to the way HSTS works,
the HSTS header MUST be present on the redirect from https://example.com to 
https://www.example.com. I am using configuration like:

rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
redirect prefix https://www.example.com code 301 if \
{ hdr(host) -i example.com }

For whatever reason, even when the rspadd line is before the redirect, no 
headers are added to the redirect, making this impossible. I've considered 
a fake backend with a fake 503 file to get around this - something like: 

HTTP/1.1 301 Moved Permanently
Cache-Control: no-cache
Content-Length: 0
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Location: https://www.example.com/
Connection: close

While this will work, it feels really hacky. Is there a better way to add a
header on a redirect?


Reply via email to