Add note about HSTS header to README

2025-12-28 16:06:40 +01:00 · 2014-04-08 06:53:30 -06:00
parent e2135a2c5f
commit 1d7422efb9
1 changed files with 6 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -127,6 +127,12 @@ The nginx configuration will need to be reloaded in order for the updated TLS co

 **Note**: TLS will not be enabled unless the application's VHOST matches the certificate's name. (i.e. if you have a cert for *.example.com TLS won't be enabled for something.example.org or example.net)

+### HSTS Header
+
+The [HSTS header](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) is an HTTP header that can inform browsers that all requests to a given site should be made via HTTPS. dokku does not, by default, enable this header. It is thus left up to you, the user, to enable it for your site.
+
+Beware that if you enable the header and a subsequent deploy of your application results in an HTTP deploy (for whatever reason), the way the header works means that a browser will not attempt to request the HTTP version of your site if the HTTPS version fails.
+
 ## Upgrading

 Dokku is in active development. You can update the deployment step and the build step separately.