I would like to configure Keycloak so that HSTS header is returned with responses.
Following the advice on enabling https that can be found here: https://hub.docker.com/r/jboss/keycloak/, I have created a certificate which then I have mounted to the container using following command:
-e KEYCLOAK_USER=admin \ -e KEYCLOAK_PASSWORD=admin \ -p 8080:8080 \ -p 8443:8443 \ -p 8444:8444 \ -v /Users/kamil/tmp/https/tls.crt:/etc/x509/https/tls.crt \ -v /Users/kamil/tmp/https/tls.key:/etc/x509/https/tls.key \ --name my-keycloak-test \ my-keycloak
I have also ensured that in the Security defenses tab HSTS settings are correct.
However, when I request a token, responses come without the HSTS header.
curl --location --request POST 'https://localhost:8443/auth/realms/test/protocol/openid-connect/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --header 'accept: */*' \ --header 'sec-fetch-site: same-site' \ --header 'sec-fetch-mode: cors' \ --data-urlencode 'username=user1' \ --data-urlencode 'grant_type=password' \ --data-urlencode 'client_id=postman' \ --data-urlencode 'redirect_uri=https://google.com' \ --data-urlencode 'password=pass'
I would appreciate any suggestion on what I might be missing here.