How do I enable HSTS headers on an external ALB using Kubernetes annotations?

Context You want to enable HTTP Strict Transport Security (HSTS) headers on your external Application Load Balancer (ALB) in Kubernetes. HSTS headers help improve security by forcing browsers to use HTTPS connections and prevent protocol downgrade attacks. Answer To enable HSTS headers on your ALB, you need to use the listener-attributes annotation rather than the load-balancer-attributes annotation. HSTS headers are configured at the listener level, not the load balancer level. Add the following annotations to your Kubernetes Ingress resource: alb.ingress.kubernetes.io/listener-attributes.HTTP-80: routing.http.response.strict_transport_security.header_value=max-age=31536000 alb.ingress.kubernetes.io/listener-attributes.HTTPS-443: routing.http.response.strict_transport_security.header_value=max-age=31536000 Important: This feature requires AWS Load Balancer Controller version 2.13 or later. If you're using an older version, you'll need to upgrade the controller first. To verify the configuration is working: Check that the HSTS headers appear in HTTP responses from your application Verify the listener configuration in the AWS Console shows the HSTS settings The max-age=31536000 value sets the HSTS policy to be valid for one year (31,536,000 seconds). You can adjust this value based on your security requirements.