I am trying to set the Strict-Transport-Security header in my ASP.NET Core application to enforce HTTPS with a max-age of 1 year (31536000 seconds), along with includeSubDomains and preload. However, when I check the headers in the browser, the max-age value is always set to 2592000 (30 days) instead of 31536000.
Here is the middleware code I am using:
app.Use(async (context, next) =>{ if (!env.IsDevelopment()) { context.Response.Headers.Append("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"); } await next();});I have also verified that:
The application is running in the production environment (env.IsDevelopment() is false).The browser cache has been cleared.The application is deployed on Azure with HTTPS enabled.Why is the max-age value in the Strict-Transport-Security header not updating to 31536000? Is there any configuration in Azure or ASP.NET Core that might override this value?
