openshift-docs/modules/microshift-nw-enforcing-hsts-per-domain.adoc

// Module included in the following assemblies:
//
// * microshift_networking/microshift-configuring-routes.adoc

:_mod-docs-content-type: PROCEDURE
[id="microshift-nw-enforcing-hsts-per-domain_{context}"]
= Enforcing HTTP Strict Transport Security per-domain

You can configure a route with a compliant HSTS policy annotation. To handle an upgraded node with noncompliant HSTS routes, you can update the manifests at the source and apply the updates.

You cannot use `oc expose route` or `oc create route` commands to add a route in a domain that enforces HSTS because the API for these commands does not accept annotations.

[IMPORTANT]
====
HSTS cannot be applied to insecure, or non-TLS, routes.
====

.Prerequisites
* You have root access to the node.
* You installed the {oc-first}.

.Procedure

* Apply HSTS to all routes in the node by running the following `oc annotate command`:
+
[source,terminal]
----
$ oc annotate route --all --all-namespaces --overwrite=true "haproxy.router.openshift.io/hsts_header"="max-age=31536000;preload;includeSubDomains"
----
+
* Apply HSTS to all routes in a particular namespace by running the following `oc annotate command`:
+
[source,terminal]
[subs="+quotes"]
----
$ oc annotate route --all -n __<my_namespace>__ --overwrite=true "haproxy.router.openshift.io/hsts_header"="max-age=31536000;preload;includeSubDomains" <1>
----
<1> Replace `_<my_namespace>_` with the namespace you want to use.

.Verification
* Review the HSTS annotations on all routes by running the following command:
+
[source,terminal]
----
$ oc get route  --all-namespaces -o go-template='{{range .items}}{{if .metadata.annotations}}{{$a := index .metadata.annotations "haproxy.router.openshift.io/hsts_header"}}{{$n := .metadata.name}}{{with $a}}Name: {{$n}} HSTS: {{$a}}{{"\n"}}{{else}}{{""}}{{end}}{{end}}{{end}}'
----
+
.Example output
[source,terminal]
----
Name: <_routename_> HSTS: max-age=31536000;preload;includeSubDomains
----