From 7eb8d61d5482fdcf3f1dafc3c0534b4a847bc230 Mon Sep 17 00:00:00 2001
From: Gunnstein Lye <289744+glye@users.noreply.github.com>
Date: Tue, 3 Dec 2024 15:48:32 +0100
Subject: [PATCH] HSTS and Varnish

---
 .../security/security_checklist.md                           | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md
index a8622aff6c..5d81217907 100644
--- a/docs/infrastructure_and_maintenance/security/security_checklist.md
+++ b/docs/infrastructure_and_maintenance/security/security_checklist.md
@@ -255,6 +255,11 @@ Make sure to also include subdomains by means of the `includeSubDomains` setting
 
 When using [[= product_name_cloud =]], you can [configure HSTS in `.platform/routes.yaml`](https://docs.platform.sh/define-routes/https.html#enable-http-strict-transport-security-hsts).
 
+Beware if you are using a Varnish proxy:
+Your version of Varnish may not support HTTPS connections with your web server.
+If so, make sure to only enable HSTS between your public-facing proxy and the clients.
+When using [[= product_name_cloud =]], this is handled automatically.
+
 ## Domain
 
 ### Enable Domain Name System Security Extensions (DNSSEC)