Description
Is your feature request related to a problem? Please describe.
I'm looking to improve the security posture of the Web STOMP interface in RabbitMQ by enabling the Strict-Transport-Security (HSTS) header when TLS is enabled. However, I couldn't find any documentation or configuration options confirming whether this is supported by the Web STOMP plugin.
I have also raised this question in the RabbitMQ Users Google Group, and was advised by the RabbitMQ team to open a feature request here.
Describe the solution you'd like
It would be helpful to have support for adding custom HTTP response headers—especially the Strict-Transport-Security header—when using the Web STOMP plugin over TLS. Ideally, this could be configured via rabbitmq.conf.
Describe alternatives you've considered
I considered placing an external reverse proxy (like NGINX or APACHE) in front of RabbitMQ to inject the HSTS header, but we prefer a more streamlined setup where RabbitMQ handles TLS directly without additional infrastructure layers.
Additional context
Here’s a snippet of our current Web STOMP TLS configuration in rabbitmq.conf:
{rabbitmq_web_stomp,
[
{tcp_config, []},
{ssl_config, [
{port, ${rabbitmq:web_stomp_port}},
{backlog, 1024},
{cacertfile, "${rabbitmq:ca_bundle_cert_path}"},
{certfile, "${rabbitmq:server_cert_path}"},
{keyfile, "${rabbitmq:server_key_path}"}
]}
]
},We’d appreciate clarification on whether HSTS can be configured for Web STOMP in the current version, and if not, whether this feature could be considered for a future release.