This article will explain how to add an HSTS header to API Gateway responses.

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections and never via the insecure HTTP protocol.

HSTS support on the API Gateway can be achieved by the use of the Manage Transport Properties/Headers assertion to your policy.

1. Add the Manage Transport Properties/Headers assertion to the desired policy.
2. Set the target message this assertion will apply to. For this use-case, it should be set to a value of Response.
3. Double-click the Manage Transport Properties/Headers assertion to access the assertion properties and set the following values:
   1. Type: HTTP Header
   2. Operation: Add or Replace
   3. Property/Header Name: Strict-Transport-Security
   4. Property/Header Value: max-age=86400; includeSubDomains; preload
      • Example:
        
      • Note: the value above is just an example and may need to be modified as needed for the environment.

If you would like this to apply to all Gateway services the assertion can be added to a Global policy such as the message completed policy. More details about global policies can be found here: 

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-1/services-and-policies/working-with-policies/policy-fragments/global-policy-fragments.html