Adding HSTS-Header / Strict-Transport-Security with post middleware?

binarymechanic · August 15, 2017, 5:16pm

I am trying to add the HSTS-Header like this to all responses in an app like this:

`Strict-Transport-Security: max-age=31530000; includeSubDomains`

My middleware JS looks like this:
request.SetHeaders["Strict-Transport-Security"] = "max-age=31530000; includeSubDomains";

but instead of showing up in the response headers, it shows up in a JSON response like this:
< X-Ratelimit-Reset: 1502754800 < { "args": {}, "headers": { "Accept": "*/*", "Accept-Encoding": "gzip", "Authorization": "foo", "Connection": "close", "Host": "httpbin.org", "Strict-Transport-Security": "max-age=31530000; includeSubDomains", "User-Agent": "curl/7.47.0" },

I am not grokking the response header documentation on how this is configured:
https://tyk.io/docs/transform-traffic/response-headers/

Does anyone have a sample somewhere on how this (or something similar) would be achieved? I am trying to set this up per app, not per endpoint - but if that is the only way to resolve this it would be good to know.

Thanks a bunch,
Robert

Martin · August 15, 2017, 9:22pm

Are you testing against http://httpbin.org?

If so, then that’s how the request echos back:

martin@DESKTOP-OKR0UFG ~> curl -v -H "My-Test-Header: Foo" https://httpbin.org/get
* Hostname was NOT found in DNS cache
*   Trying 50.16.228.34...
* Connected to httpbin.org (50.16.228.34) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*        subject: CN=httpbin.org
*        start date: 2017-07-15 23:42:00 GMT
*        expire date: 2017-10-13 23:42:00 GMT
*        subjectAltName: httpbin.org matched
*        issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*        SSL certificate verify ok.
> GET /get HTTP/1.1
> User-Agent: curl/7.35.0
> Host: httpbin.org
> Accept: */*
> My-Test-Header: Foo //<------ Here's my header
>
< HTTP/1.1 200 OK
< Connection: keep-alive
* Server meinheld/0.6.1 is not blacklisted
< Server: meinheld/0.6.1
< Date: Tue, 15 Aug 2017 21:20:23 GMT
< Content-Type: application/json
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Credentials: true
< X-Powered-By: Flask
< X-Processed-Time: 0.00102710723877
< Content-Length: 245
< Via: 1.1 vegur
<
{
  "args": {},
  "headers": {
    "Accept": "*/*",
    "Connection": "close",
    "Host": "httpbin.org",
    "My-Test-Header": "Foo", // <--- And here it is in the response 
    "User-Agent": "curl/7.35.0"
  },
  "origin": "202.89.129.13",
  "url": "https://httpbin.org/get"
}

It essentially takes the headers of the inbound requests and plays them back to you in the JSON response… so your header was set correctly.

binarymechanic · August 15, 2017, 10:48pm

Yes, Martin - I was testing against httpbin.org. I am testing against my own API’s now and will reply back once I have it figured out. Thanks for the insight!

Robert