DOC-1386 Add HSTS to Console

[micheleRP]

Description

Do not merge until next Console release

This pull request adds new documentation to clarify Redpanda Console's behavior regarding HTTP Strict Transport Security (HSTS) when TLS is enabled. The update explains what HSTS is, how it works in the context of Redpanda Console, and how users can verify that it is enabled.

• Added a new section describing how Redpanda Console automatically sends the HSTS header (Strict-Transport-Security: max-age=31536000) when TLS is enabled, including its security benefits and browser behavior.
• Provided instructions and an example command for verifying the presence of the HSTS header in server responses.

Resolves https://redpandadata.atlassian.net/browse/DOC-1386
Review deadline:

Page previews

HTTP Strict Transport Security (HSTS)

Checks

• New feature
• Content gap
• Support Follow-up
• Small fix (typos, links, copyedits, etc)

[netlify]

❌ Deploy Preview for redpanda-docs-preview failed. Why did it fail? →

Name	Link
🔨 Latest commit	7744af1
🔍 Latest deploy log	https://app.netlify.com/projects/redpanda-docs-preview/deploys/693aef9e0ffe5a0008857bc7

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request adds documentation for HTTP Strict Transport Security (HSTS) behavior in Redpanda Console's TLS termination configuration guide. The changes introduce two new sections describing how the Strict-Transport-Security header is configured (max-age=31536000), explaining client-side enforcement behavior, timing of enforcement, security protections provided, and including a curl verification example. The documentation is duplicated in two contexts to address both direct TLS termination and upstream component scenarios.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Single documentation file with straightforward content additions
• No functional code changes, logic, or structural modifications
• Verification needed on HSTS header value accuracy and documentation clarity
• Consider confirming intentionality of content duplication across both TLS termination contexts

Suggested reviewers

• weeco
• Feediver1
• mattschumpert

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding HSTS documentation to Console, directly aligned with the changeset's core objective.
Linked Issues check	✅ Passed	The PR fully addresses DOC-1386's objectives by documenting HSTS behavior, security implications, header details, and providing verification instructions with examples.
Out of Scope Changes check	✅ Passed	All changes are scoped to documentation of HSTS in the TLS termination page, directly aligned with DOC-1386 requirements with no unrelated modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The pull request description includes all required template sections with appropriate content and context.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch DOC-1386-Document-feature-Add-HTTP-Strict-Transport-Security-HSTS-to-Console

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[graham-rp]

Looks great, thanks!

[kbatuigas]

lgtm!