From d843f8848e07d87c5e61ecd37bc3f5da0a2d1e55 Mon Sep 17 00:00:00 2001
From: Mahmud Hussain <mahmud.hussain@digital.cabinet-office.gov.uk>
Date: Thu, 1 Feb 2024 10:36:10 +0000
Subject: [PATCH] Add HTTP Strict-Transport-Security header

- This sets the HSTS header to the domain within VCL
- Enables consistency throughout the CDN.
---
 modules/www/www.vcl.tftpl | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/www/www.vcl.tftpl b/modules/www/www.vcl.tftpl
index 620a3c8..db39a08 100644
--- a/modules/www/www.vcl.tftpl
+++ b/modules/www/www.vcl.tftpl
@@ -452,6 +452,8 @@ sub vcl_miss {
 }
 
 sub vcl_deliver {
+  set resp.http.Strict-Transport-Security = "max-age=31536000; preload";
+
   # GOV.UK accounts
   if (resp.http.GOVUK-Account-End-Session) {
     add resp.http.Set-Cookie = "__Host-govuk_account_session=; secure; httponly; samesite=lax; path=/; max-age=0";