Hello, our security audit flagged this vulnerability for our custom domain we have setup with Auth0: Web Server has HSTS Disabled
Upon manual inspection, I can see that the HTTP Strict Transport Security header is missing when accessing the configured custom domain. Is there something I can do to fix this?
Interesting, this is the first I’ve ever heard this and can’t find anything where this has occurred elsewhere I have come across issues regarding the preload directive, but nothing in regards to the header missing altogether. Are you able to doublecheck this again to confirm, and share any information as evidence to this being the case? A har file could do the trick (feel free to DM me the file).
Hey, I checked again today and now I can see the HSTS header.
I asked our security auditors to check once more and get back to me. But we can consider this as closed.