Reputation: 46
How to enable HSTS for Google Cloud Run app?
My Google Cloud Run app use traditional 302 responses to redirect HTTP requests to HTTPS. Is there any way to have Google Cloud Run make use of HSTS header?
My app stack is express. I tried helmet.hsts() but it's not working. It seems that HTTP requests will be redirected by Google proxy before they come to my express app.
Here is my sample request and response:
* Rebuilt URL to: <URL>
* Trying 2001:4860:4802:36::35...
* TCP_NODELAY set
* Connected to <HOST> (2001:4860:4802:36::35) port 80 (#0)
> GET / HTTP/1.1
> Host: <HOST>
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 302 Found
< Location: <URL>
< X-Cloud-Trace-Context: e1f3dfe0e7bd604c447ca0c8f8c0ea5c
< Date: Thu, 24 Jun 2021 10:23:48 GMT
< Content-Type: text/html
< Server: Google Frontend
< Content-Length: 0
<
* Connection #0 to host <HOST> left intact
Upvotes: 1
Views: 1849
Answers (1)
Reputation: 75715
You can't customize Cloud Run built-in proxy. And thus you can't add the header that you want like the strict transport security header.
However, as workaround, you can deploy a HTTPS Load Balancer and add your Cloud Run service as Serverless NEG backend. Then, you have to configure the HTTPS Load Balancer to add a custom header
Upvotes: 1
Related Questions
- Unable to open tcp connection after Cloud Run deploy
- Cloud Run, how to get CSR
- Does GCP Cloud Run support HTTPS app protocol
- Google Cloud Run - Does it support non http protocol for inbound request or outbound requests?
- Google Cloud Run Port
- How to send requests to Cloud Run only from the app?
- GCR (Google Cloud Run) enable http
- I can't configure Google Cloud Endpoints with Google Cloud Run
- How to redirect all http traffic to https in Google Cloud Run
- Adding HSTS headers in app.yaml (Google App Engine)