Add Strict-Transport-Security header to GitHub Page

[jzazo]

Select Topic Area

Question

Body

Hi! I have set up a github page and all web scanners report there is no Strict-Transport-Security header. Https is enforced.

I am building the site with mkdocs. Is there a way to enable HSTS or add these headers? Thanks!

[ersinpw]

I see that your question is not answered. If you’re using GitHub Pages for your static site and you've run into warnings about the missing Strict-Transport-Security (HSTS) header, you're not alone. Since GitHub Pages doesn’t directly support custom headers like HSTS, even if HTTPS is enforced, web scanners will still flag it.

So, how can you add security headers to a GitHub Pages site built with mkdocs?

Here are two options:

1. Use a Custom Domain with Cloudflare

A straightforward way to add HSTS headers is by using a custom domain in combination with Cloudflare. With Cloudflare’s free plan, you can add HSTS and other headers easily through the Cloudflare dashboard. This approach also brings additional perks like improved caching and DDoS protection, so it’s a win-win for both security and performance.

To set this up:

Point your custom domain to GitHub Pages through your domain registrar.

• Sign up for a free Cloudflare account and add your domain.
• Configure the HSTS settings and other security headers directly in Cloudflare’s settings under the "SSL/TLS" and "Security" tabs.

2. Deploy via GitHub Actions to a Custom Host

If you’re comfortable with a more advanced setup, consider deploying your mkdocs site with GitHub Actions to another static hosting service, like AWS S3 paired with CloudFront. AWS allows full control over response headers, so you can easily add HSTS or any other security headers.

The process involves creating a GitHub Action that builds and pushes your site to an S3 bucket. You’ll then use CloudFront as the CDN layer, where you can configure custom headers in the CloudFront settings. This option gives you flexibility and security, but it requires a bit more setup.

Both of these methods let you bring custom headers to your mkdocs site without limitations, so you can enhance security without switching hosting platforms.

Hope this helps you.

[jzazo]

Thank you @ersinpw, this is a great and thorough answer! I have created a ticket and will work with support see what they say. I am not willing to use a custom domain or deploy a custom host, so will see if I can get an exception if this problem is not solvable without those.

[xylend-dev]

would you please explain me about your requirement in detail?

[jzazo]

It is mandatory security policy to include HSTS headers by our company, so the page I maintain hosted in GitHub Pages is flagged as not compliant. I think the specific header that needs to be added is something like this:

Strict-Transport-Security: max-age=31536000; includeSubDomains