Support HSTS HTTP Strict-Transport-Security on Azure AD Application Proxy
Support HSTS HTTP Strict-Transport-Security on Azure AD Application Proxy. Currently the Azure Application Proxy does not support the Strict-Transport-Security header. Please make App Proxy support this and maybe other customizable headers for DHS BOD 18-01 compliance. https://cyber.dhs.gov/bod/18-01/ The On-prem solution (Web Application Proxy) is also not compliant.
We’re working on a feature to enable this as a setting on an application. If you would like this enabled for your tenant as part of a preview please reach out to firstname.lastname@example.org.
Jon Sauter commented
This is still flagged as 'under review' but appears to have been implemented in the product. This causes problems for applications that are not using HTTPS internally when the user connects to the application directly from on-prem. If HSTS is going to be a feature of App-Proxy then there needs to be a toggle for it (at the tenant- and/or at the application-level).