I would like to know how to set up HSTS headers and security headers in the kong config file. I havent found anything yet.
There is none.
You can use
response-transformer plugin to inject the header.
Hey so the response-transformer is the same as this? but for kong?To configure HSTS in Nginx, add the next entry in nginx.conf under server (SSL) directive
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'
If you want to do it at the Nginx-level, you could use Nginx directive injection to achieve this as well:
Same requirements, but request-transformer plugin not working for me: response-transformer global plugin not working (reliably) · Issue #7040 · Kong/kong · GitHub.
Trying to do this through nginx directives injection in the kong config instead(Configuration Reference - v1.4.x | Kong - Open-Source API Management and Microservice Management), but I don’t see how to add multiple ‘add_header’ directives, as only the last such directive in the config is processed by kong.
Edit: only that worked for now is a custom nginx template.