Does the API Platform implement HSTS (`strict-transport-security` response header)?

Yes, on all levels. The application’s internal APIs make use of HSTS by default because our internal gateway implements it. The Platform’s front-end static navigation started to implement this function natively in the 4.8.0.0 release. Finally, regarding calls to APIs exposed by our customers on their gateways, it is possible to select the type of protocol accepted by each inbound address. If an inbound address is configured to only accept HTTPS, the gateway will by default return the strict-transport-security header.

The strict-transport-security response header is used to inform the client (as in a browser) that the address should only be accessed using HTTPS, not HTTP.

Thanks for your feedback!

EDIT

Share your suggestions with us!
Click here and then [+ Submit idea]

Does the API Platform implement HSTS (strict-transport-security response header)?

Does the API Platform implement HSTS (`strict-transport-security` response header)?