Missing HSTS header in local Docker container setup

I would like to configure Keycloak so that HSTS header is returned with responses.
Following the advice on enabling https that can be found here: https://hub.docker.com/r/jboss/keycloak/, I have created a certificate which then I have mounted to the container using following command:

-e KEYCLOAK_USER=admin \
-e KEYCLOAK_PASSWORD=admin \
-p 8080:8080 \
-p 8443:8443 \
-p 8444:8444 \
-v /Users/kamil/tmp/https/tls.crt:/etc/x509/https/tls.crt \
-v /Users/kamil/tmp/https/tls.key:/etc/x509/https/tls.key \
--name my-keycloak-test \
my-keycloak

I have also ensured that in the Security defenses tab HSTS settings are correct.

However, when I request a token, responses come without the HSTS header.
Token request:

curl --location --request POST 'https://localhost:8443/auth/realms/test/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'accept: */*' \
--header 'sec-fetch-site: same-site' \
--header 'sec-fetch-mode: cors' \
--data-urlencode 'username=user1' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_id=postman' \
--data-urlencode 'redirect_uri=https://google.com' \
--data-urlencode 'password=pass'

I would appreciate any suggestion on what I might be missing here.

The HSTS header is actually not missing, it’s simply not configured. Using HTTPS does not force you to set the HSTS header.

You can set it on your own modifying the standalone-ha.xml with the solutions mentioned here:

I once did this for a client and put the needed settings in a jboss-cli script and added it to my container build (Dockerfile) process.

1 Like

@dasniko I was able to configure the header properly thanks to the resources you provided. Thank you!

1 Like