redpanda-data · micheleRP · Dec 11, 2025 · Dec 11, 2025
@@ -148,6 +148,40 @@ If you want Redpanda Console to serve HTTPS on a non-standard port like 8081, bu
 
 NOTE: If you host Redpanda Console under a sub-path of your domain, such as `+https://my-company.com/redpanda/console+`, configure xref:console:config/http-path-rewrites.adoc[HTTP path rewrites] in Redpanda Console.
 
+=== HTTP Strict Transport Security (HSTS)
+
+When TLS is enabled, Redpanda Console server automatically adds the HTTP Strict Transport Security (HSTS) header to all responses:
+
+```
+Strict-Transport-Security: max-age=31536000
+``` 
+
+The HSTS header instructs web browsers to:
+
+* Always connect to Redpanda Console using HTTPS, never HTTP
+* Automatically upgrade any HTTP requests to HTTPS for the next 365 days (31536000 seconds)
+* Refuse connections if there are certificate errors or warnings
+
+This behavior begins after the browser's first successful HTTPS connection to Redpanda Console.
+
+HSTS provides protection against:
+
+* Protocol downgrade attacks: Prevents attackers from forcing connections to use insecure HTTP
+* Accidental insecure connections: Users typing `http://` in their browser are automatically redirected to HTTPS
+* Session hijacking: Eliminates the risk window where HTTP traffic could be intercepted before redirect
+
+You can verify that HSTS is enabled by checking the response headers:
+
+```
+curl -svk https://localhost:9091/ 2>&1 | grep -i strict-transport-security
+```
+
+Expected output:
+
+```
+< strict-transport-security: max-age=31536000
+```
+
 == Use an upstream component for TLS termination
 
 When you use an upstream component for TLS termination, the upstream component handles the secure TLS connection, and Redpanda Console receives unencrypted HTTP traffic from this component. You can use various upstream components, including reverse proxies, such as NGINX and HAProxy, as well as cloud HTTPS load balancers. To use this option, you must: