-
Select Topic AreaQuestion BodyHi! I have set up a github page and all web scanners report there is no Strict-Transport-Security header. Https is enforced. I am building the site with mkdocs. Is there a way to enable HSTS or add these headers? Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
I see that your question is not answered. If you’re using GitHub Pages for your static site and you've run into warnings about the missing Strict-Transport-Security (HSTS) header, you're not alone. Since GitHub Pages doesn’t directly support custom headers like HSTS, even if HTTPS is enforced, web scanners will still flag it. So, how can you add security headers to a GitHub Pages site built with mkdocs? Here are two options: 1. Use a Custom Domain with CloudflareA straightforward way to add HSTS headers is by using a custom domain in combination with Cloudflare. With Cloudflare’s free plan, you can add HSTS and other headers easily through the Cloudflare dashboard. This approach also brings additional perks like improved caching and DDoS protection, so it’s a win-win for both security and performance. To set this up: Point your custom domain to GitHub Pages through your domain registrar.
2. Deploy via GitHub Actions to a Custom HostIf you’re comfortable with a more advanced setup, consider deploying your mkdocs site with GitHub Actions to another static hosting service, like AWS S3 paired with CloudFront. AWS allows full control over response headers, so you can easily add HSTS or any other security headers. The process involves creating a GitHub Action that builds and pushes your site to an S3 bucket. You’ll then use CloudFront as the CDN layer, where you can configure custom headers in the CloudFront settings. This option gives you flexibility and security, but it requires a bit more setup. Both of these methods let you bring custom headers to your mkdocs site without limitations, so you can enhance security without switching hosting platforms. Hope this helps you. |
Beta Was this translation helpful? Give feedback.
I see that your question is not answered. If you’re using GitHub Pages for your static site and you've run into warnings about the missing Strict-Transport-Security (HSTS) header, you're not alone. Since GitHub Pages doesn’t directly support custom headers like HSTS, even if HTTPS is enforced, web scanners will still flag it.
So, how can you add security headers to a GitHub Pages site built with mkdocs?
Here are two options:
1. Use a Custom Domain with Cloudflare
A straightforward way to add HSTS headers is by using a custom domain in combination with Cloudflare. With Cloudflare’s free plan, you can add HSTS and other headers easily through the Cloudflare dashboard. This approach also bri…