HSTS header

imseankeenan-2067 · July 1, 2025, 11:18am

Hi,

Struggling with a HSTS header (Strict-Transport-Security).

I picked up a codebase which had the STS header set in the next.config.js as:

    // next.config.js
    // other headers etc
    {
        key: "Strict-Transport-Security",
        value: "max-age=63072000; includeSubDomains; preload",
    }

However, none of the headers from this existing file were visible in the production response - This seemed good as we don’t want “includeSubDomains” or “preload” and want to set the max-age to 1 year anyway.

Removed the headers from the next.config entirely.
Attempted to set these using the vercel.json and all of the headers were visible - However, the STS header was set to it’s original values above.
Tried again with middleware and see the same result.

    // vercel.json
    // other headers etc
    {
        key: "Strict-Transport-Security",
        value: "max-age=31536000",
    }

I’ve deleted HSTS data from my browsers, incog, removing the header entirely from code and all of the recommended fixes from searches.

Some edge level caching? I don’t really know how it all works to be honest.

Any help appreciated.

Topic		Replies	Views
Vercel doesn't cache according to our cache headers Help nextjs	3	173	September 10, 2024
Content Headers from NextJS route handlers Help	7	43	September 29, 2024
Response Headers not set on Vercel environment Help nextjs	2	90	December 5, 2024
Caching images in the public folder Help nextjs	3	65	February 3, 2025
Help Needed: Embedding Vercel Page in CRM via Iframe Discussions nextjs	3	38	July 13, 2025

HSTS header

Related topics