How to add HSTS header when redirecting traffic in load balancer?

Hello,

HSTS is specified by a Web Application on the Back-end through the use of a special response header (the Strict-Transport-Security HTTP response header field) and force Clients to be able to direct their User Agent(s) to interact with given sites only over secure connections [1].

Stack overflow: Enabling HSTS in AWS ELB application load balancer

Currently, ELB natively does not support HSTS. HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application using a special response header. Since it is an application level configuration, it needs to be enabled only on the back-end server(s) (targets).

A workaround for HSTS to operate with an ELB is to enable HSTS on the backend instance. The ELB will forward the "Strict-Transport-Security" header to clients without altering it.

HTTP Strict Transport Security Cheat Sheet

Please refer to the documentations on how to set up HSTS headers in your backend instance(s). [2][3]

Further, if you are using ALB, there would be another option to use CloudFront service in front of the ALB (since ALB does not support HSTS). Kindly refer the following article to learn more

[+] How do I add HTTP security headers to CloudFront responses?

References:

1. RFC on HSTS: https://tools.ietf.org/html/rfc6797
2. IT IGLOO: https://itigloo.com/security/how-to-configure-http-strict-transport-security-hsts-on-apache-nginx/
3. HTTP Strict Transport Security for Apache, NGINX and Lighttpd: https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html