Hey all,
In our continuing efforts to improve security for all Netlify sites, we are making a change to the Strict-Transport Security (HSTS) header. In addition to the existing value max-age=31536000
, we will have added the values includeSubDomains
and preload
to all sites that are not using a custom domain name.
Since all sites are automatically routed to use HTTPS, this should not cause any issues.
-
includeSubDomains
forces HTTPS security attributes on all sub-domains of a site, such as Content Security Policy (CSP). -
preload
ensures that the HTTPS security attributes are loaded into the browser or client before visiting a site
Ask us for help!
Please feel free to reach out with questions and we will do our best to answer.