Support HSTS (HTTP Strict Transport Security) on Application Gateway
There are no support concerning HSTS today, this is requested by many customers and they have to use 3rd party for accomplish it.
This can now be accomplished using the new Header Rewrite capability in the V2 SKU. Please see the documentation here https://docs.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers#implement-security-http-headers-to-prevent-vulnerabilities
Additionally, if you would like to get in touch with us to discuss your specific scenarios, please fill this form: https://aka.ms/ApplicationGatewayCohort
Joran Markx commented
We were able to accomplish this by adding rewrite rules. See https://docs.microsoft.com/bs-cyrl-ba/azure/application-gateway/tutorial-http-header-rewrite-powershell#specify-your-http-header-rewrite-rule-configuration for details. You can also use the portal to add the rewrite.
This is a very important Feature to include Microsoft
xiang zhou commented
Anyone knows how to enforce HSTS on Application Gateway?
Marcus Mason commented
Microsoft services require use of HSTS. We lost this functionality moving from F5 load balancers to Application Gateways.