Hi guys,
Is there a way to configure HSTS header on the liveness check URL for Tyk API Gateway, on Tyk version 5.3/5.4?
When performing a curl to https://(tyk-fqdn)/hello, there are no HSTS or security headers configured.
For the others API endpoints, we have managed to configure the HSTS header via the response from our upstream system. Only one remaining is the /hello path.
@sunset1230 Hello and welcome to the community 
As far as I know, there isn’t a way to do this. There have been suggestions to use a thin reverse proxy/load balancer like nginx to accommodate this.
That is correct. Built in APIs do not have security headers configured and cannot be altered unless via source.
Considering there isn’t any sensitive information from the /hello endpoint, is there a reason why you want to protect this via HSTS?
Maybe blocking client/public access to it might be what you are after. The endpoint is majorly used for health checks but you could also use a dummy/mock API definition to achieve the same thing.
Great! You could also use our global headers middleware to achieve the same thing per API.
{
...
version_data: {
"versions": {
"<version-identifier>": {
"global_response_headers": {
"Strict-Transport-Security": "max-age=31536000; includeSubDomains"
}
}
}
}
...
}
More details here