It’s been a long week and I’ve gotten past the point where logic works.
Anvil enforces HSTS by default.
But an HSTS warning pops up whenever you check the app using the services which inspect such things.
OWASP says to put this in your header:
Strict-Transport-Security: max-age=31536000; includeSubDomains
But where do you put this in your app?
I’m guessing that you mean this:
Is that the right one?
I’m no http expert, but other forum members are.
Yes, that’s the one.
Back through forum posts, I’ve no reason to doubt that Anvil uses HSTS as part of the security model.
But whenever I run a check, say on security headers or in a security scan, the advisory is there in bold red.
What I can’t work out is how to set the header in Anvil itself to solve the problem.
The amazing team at Anvil now have this live! Single tick in the IDE! Awesome!