Add HSTS headers to the web server

CHANGELOG.md

@@ -11,6 +11,8 @@ For details about compatibility between different releases, see the **Commitment
 
 ### Added
 
+- Add HSTS response headers.
+
 ### Changed
 
 ### Deprecated

pkg/web/web.go

@@ -196,6 +196,7 @@ func New(ctx context.Context, opts ...Option) (*Server, error) {
 		mux.MiddlewareFunc(webmiddleware.Metadata("X-Forwarded-For", "User-Agent")),
 		mux.MiddlewareFunc(webmiddleware.MaxBody(1024*1024*16)),
 		mux.MiddlewareFunc(webmiddleware.SecurityHeaders()),
+		mux.MiddlewareFunc(webmiddleware.HSTSHeaders()),
 		mux.MiddlewareFunc(webmiddleware.Log(logger, options.logIgnorePaths)),
 		mux.MiddlewareFunc(webmiddleware.Cookies(hashKey, blockKey)),
 		mux.MiddlewareFunc(webmiddleware.NoCache),

pkg/webmiddleware/hsts_headers.go

@@ -0,0 +1,33 @@
+// Copyright © 2025 The Things Network Foundation, The Things Industries B.V.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package webmiddleware
+
+import (
+	"net/http"
+)
+
+// HSTSHeaders returns a middleware that adds HTTP Strict Transport Security (HSTS) headers.
+// See https://datatracker.ietf.org/doc/html/rfc6797 and https://hstspreload.org/.
+func HSTSHeaders() MiddlewareFunc {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// Only add HSTS when the request is served over HTTPS.
+			if r.TLS != nil {
+				w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains; preload")
+			}
+			next.ServeHTTP(w, r)
+		})
+	}
+}

pkg/webmiddleware/hsts_headers_test.go

@@ -0,0 +1,64 @@
+// Copyright © 2025 The Things Network Foundation, The Things Industries B.V.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package webmiddleware_test
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/smarty/assertions"
+	"go.thethings.network/lorawan-stack/v3/pkg/webmiddleware"
+)
+
+func TestHSTSHeaders(t *testing.T) {
+	t.Parallel()
+
+	a := assertions.New(t)
+
+	m := webmiddleware.HSTSHeaders()
+	a.So(m, assertions.ShouldNotBeNil)
+
+	t.Run("HTTPS request should add HSTS headers", func(t *testing.T) {
+		t.Parallel()
+		a := assertions.New(t)
+
+		req := httptest.NewRequest("GET", "https://example.com", nil)
+		rec := httptest.NewRecorder()
+
+		handler := m(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+			w.WriteHeader(http.StatusOK)
+		}))
+
+		handler.ServeHTTP(rec, req)
+
+		a.So(rec.Header().Get("Strict-Transport-Security"), assertions.ShouldNotBeEmpty)
+	})
+
+	t.Run("HTTP request should NOT add HSTS headers", func(t *testing.T) {
+		t.Parallel()
+		a := assertions.New(t)
+
+		req := httptest.NewRequest("GET", "http://example.com", nil)
+		rec := httptest.NewRecorder()
+
+		handler := m(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+			w.WriteHeader(http.StatusOK)
+		}))
+		handler.ServeHTTP(rec, req)
+
+		a.So(rec.Header().Get("Strict-Transport-Security"), assertions.ShouldBeEmpty)
+	})
+}