Skip to main content
Skip table of contents

How to disable HSTS header in Gateway

Trustbuilder.io version

Behavior

Before 2025.4.0

The Gateway always adds an HSTS header by default.

  • It cannot be disabled.

  • If your backend sends its own HSTS header, it results in duplicate headers, which may be flagged in security scans.

From 2025.4.0

The HSTS header is optional.

  • It is enabled by default and it can be disabled.

  • If your backend already sets its own HSTS policy, we recommend disabling it in the Gateway to avoid duplicate headers.

To disable the HSTS Header:

  1. Go to Settings > Gateway.

  2. In Gateway Configuration panel, click on Actions…

  3. Click on Edit.

    image-20250519-123502.png
  4. Click on + Add New VHosts or edit an existing one.

  5. Fill in the required parameters.

  6. Use the toggle to disable the HSTS header.

  7. Click on Save and Close.

    image-20250521-100024.png
  8. Go back to Gateway general configuration.

  9. In Gateway Configuration panel, click on Actions…

  10. Click on Package.

  11. Sets package version number (e.g: 2.0.2).

  12. Click on Create Package.

    image-20250521-100916.png
  13. Double-click on the line.

    image-20250521-101715.png
  14. Select the package you created.

  15. In the Gateway Server panel, click on Status…

  16. Wait few minutes, the status should change to Success.

    image-20250521-102224.png

The HSTS header value cannot yet be modified:

CODE
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
  • max-age=63072000: enforce HTTPS for 2 years (in seconds).

  • includeSubDomains: applies the HTTPS policy to all subdomains of the current domain.

  • preload: indicates the domain is eligible for the HSTS preload list used by browsers.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.