Merge pull request #7083 from readthedocs/davidfischer/document-hsts-support

ericholscher · web-flow · commit 8652573774a4 · 2020-05-18T15:57:02.000-07:00
Document HSTS support
diff --git a/docs/custom_domains.rst b/docs/custom_domains.rst
@@ -99,6 +99,19 @@ You can also host your documentation from your own domain.
 
          .. _Amazon CAA guide: https://docs.aws.amazon.com/acm/latest/userguide/setup-caa.html
 
+Strict Transport Security
++++++++++++++++++++++++++
+
+By default, we do not return a `Strict Transport Security header`_ (HSTS) for user custom domains.
+This is a conscious decision as it can be misconfigured in a not easily reversible way.
+For both |org_brand| and |com_brand|, HSTS for custom domains can be set upon request.
+
+We always return the HSTS header with a max-age of at least one year
+for our own domains including ``*.readthedocs.io``, ``*.readthedocs-hosted.com``, ``readthedocs.org`` and ``readthedocs.com``.
+
+.. _Strict Transport Security header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+
+
 Proxy SSL
 ---------
 
