Skip to content

[BUG] - Nebari should be sending HSTS headers #3121

New issue
New issue
Open
#3165
Open
[BUG] - Nebari should be sending HSTS headers#3121
#3165
Labels
needs: triage 🚦Someone needs to have a look at this issue and triagetype: bug 🐛Something isn't working
@sumphlet

Description

@sumphlet
sumphlet
opened on Sep 17, 2025

Describe the bug

Currently Nebari does not send an HSTS header when you connect to the hostname: (example.com is replacing our actual hostname being used). HSTS headers for any https sites are required by our security plan.

$ curl -s -D- https://example.com |grep -i Strict
$

Expected behavior

A strict transport security header should be returned. For example:

$ curl -s -D- https://nasa.gov |grep -i Strict
strict-transport-security: max-age=31536000;includeSubdomains;preload

OS and architecture in which you are running Nebari

Red Hat Enterprise Linux 9

How to Reproduce the problem?

The easiest way to reproduce the problem is to run a curl command on the hostname. You can also check your headers in your browsers dev console:

Example curl command, replacing example.com with the hostname of your nebari server.

curl -s -D- https://example.com |grep -i Strict

Command output

$ curl -s -D- https://example.com |grep -i Strict
$

Versions and dependencies used.

$ conda --version
conda 4.14.0

$ kubectl version
Client Version: v1.33.1
Kustomize Version: v5.6.0
Server Version: v1.32.4+k3s1

$ nebari --version
2025.6.1

Compute environment

None

Integrations

No response

Anything else?

We were given some instructions to possibly enable this, but it hasn't worked so far:

Under the nebari folder, create the following yaml file middleware-hsts-1y.yaml:

apiVersion: [traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: hsts-1y
  namespace: dev
spec:
  headers:
    stsSeconds: 31536000
    stsIncludeSubdomains: true

push the middleware to the cluster with, kubectl apply -f middleware-hsts-1y.yaml, then in the nebari-config.yaml file,

ingress:
  terraform_overrides:
    additiona_-arguments:
    - "entrypoints.websecure.http.middlewares=dev-hsts-1y@kubernetescrd"

Here's a describe of the middleware entry it created:

Name:         hsts-1y
Namespace:    dev
Labels:       <none>
Annotations:  <none>
API Version:  traefik.containo.us/v1alpha1
Kind:         Middleware
Metadata:
  Creation Timestamp:  2025-09-15T15:41:30Z
  Generation:          1
  Resource Version:    67443691
  UID:                 8f1dedf8-8859-4d78-801b-ab39bb4b261a
Spec:
  Headers:
    Sts Include Subdomains:  true
    Sts Seconds:             31536000
Events:                      <none>

Here's the output of the yaml

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"traefik.containo.us/v1alpha1","kind":"Middleware","metadata":{"annotations":{},"name":"hsts-1y","namespace":"dev"},"spec":{"headers":{"stsIncludeSubdomains":true,"stsSeconds":31536000}}}
  creationTimestamp: "2025-09-15T15:41:30Z"
  generation: 1
  name: hsts-1y
  namespace: dev
  resourceVersion: "67443691"
  uid: 8f1dedf8-8859-4d78-801b-ab39bb4b261a
spec:
  headers:
    stsIncludeSubdomains: true
    stsSeconds: 31536000

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs: triage 🚦Someone needs to have a look at this issue and triagetype: bug 🐛Something isn't working

    Type

    No type

    Projects

    🪴 Nebari Project Management

    Status

    New 🚦

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions