HTTP Strict Transport Security header not present on custom domain

Hello, our security audit flagged this vulnerability for our custom domain we have setup with Auth0:
Web Server has HSTS Disabled

Upon manual inspection, I can see that the HTTP Strict Transport Security header is missing when accessing the configured custom domain. Is there something I can do to fix this?


Hey there @pangratios welcome to the community!

Interesting, this is the first I’ve ever heard this and can’t find anything where this has occurred elsewhere :thinking: I have come across issues regarding the preload directive, but nothing in regards to the header missing altogether. Are you able to doublecheck this again to confirm, and share any information as evidence to this being the case? A har file could do the trick (feel free to DM me the file).

Keep us posted!

Hey, I checked again today and now I can see the HSTS header.
I asked our security auditors to check once more and get back to me. But we can consider this as closed.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.