Not possible to set custom value for Strict-Transport-Security header #703
Description
Hi I want to set a response header Strict-Transport-Security = "max-age=31536000; includeSubDomains";
By default the header is present, but missing the includeSubDomains portion.
Based on my understanding of the feature I've created a simple custom VCL within Adobe Commerce Cloud admin panel.
custom vcl is set to deliver with priority 10000000
content: set resp.http.Strict-Transport-Security = "max-age=31536000; includeSubDomains";
Everything uploaded and cache cleaned, response header is still missing includeSubDomains
On further examination the active VCL contains a subsequent call that overrides the custom VCL and it's executed as a last step before the deliver.
...
# Snippet magentomodule_strictTransportLast : 10000000
set resp.http.Strict-Transport-Security = "max-age=31536000; includeSubDomains";
#default response conditions
# Header rewrite Enable HSTS : 100
set resp.http.Strict-Transport-Security = "max-age=31557600";
#--FASTLY DELIVER END
return(deliver);
}
In Adobe Commerce panel Fastly module Advanced configuration, Force TLC is set to disabled.
Fastly module: 1.2.219
Adobe Commerce Cloud: 2.4.7-p1