fix(security): increase HSTS max-age to 1 year

[vfanucci]

Summary

Increases Strict-Transport-Security max-age from 15552000 (~180 days) to 31536000 (365 days).

Why

• HSTS preload eligibility — browsers (Chrome, Firefox, Safari) maintain a preload list of sites that must always be loaded over HTTPS. The minimum requirement is max-age >= 31536000. At 15552000 we don't qualify.
• No downside — kestra.io is HTTPS-only behind Cloudflare with no reason to ever serve HTTP. The only risk of a longer max-age is being locked into HTTPS for longer, which is a non-issue.

Change

src/middlewares/worker.ts line 62:

- response.headers.set("strict-transport-security", "max-age=15552000")
+ response.headers.set("strict-transport-security", "max-age=31536000")

Verification

• Deploy preview → curl -sI https://<preview-url> | grep strict-transport-security → max-age=31536000

🤖 Generated with Claude Code

[github-actions]

☁️ Cloudflare Worker Preview Deployed!

🔗 https://ks-fix-hsts-max-age-docs.kestra-io.workers.dev
🔗 https://d41681e3-docs.kestra-io.workers.dev

## 🔦 Lighthouse Benchmark

Tested: https://ks-fix-hsts-max-age-docs.kestra-io.workers.dev on 2026-04-14 10:35 UTC
Compared against main baseline from 2026-04-10

Scores (0–100, higher is better)

Page	Performance	Accessibility	Best Practices	SEO
Home	63	79	59	92
Pricing	98	88	59	100
Enterprise	89	78	59	100
Cloud	89	83	59	100
About Us	98	87	59	100
Docs Landing	82	84	59	92
Contribute to Kestra (simple docs)	97	84	59	92
Flow (full featured docs)	92	86	59	92
Blog Index	65 🔻 -16	86	59	100
Blog Post (sample)	93	83	59	100
VS Page (sample)	97	88	59	100
Plugins Landing	94	77	59	92
Plugin Page (sample)	96	87	59	100
Plugin Debug Page (sample)	95	87	59	100
Plugin Debug Return Page (sample)	96	87	59	100
Blueprints Landing	92	77	56	92
Blueprint Audit Logs CSV Export	63	82	59	100

Core Web Vitals (lower is better)

Page	LCP	FCP	TBT	CLS	Speed Index
Home	1.41 s 🟢	0.96 s 🟢	534 ms 🔻	0.000	4.42 s 🟢
Pricing	1.07 s	0.58 s	52 ms	0.000	0.82 s
Enterprise	2.07 s	0.91 s	49 ms 🔻	0.000	1.05 s 🟢
Cloud	2.08 s	0.50 s	89 ms 🔻	0.000	0.87 s
About Us	1.00 s	0.56 s	52 ms	0.000	0.81 s
Docs Landing	2.83 s 🔻	0.67 s 🟢	121 ms	0.000	0.94 s
Contribute to Kestra (simple docs)	0.94 s	0.57 s	124 ms 🔻	0.003	0.74 s
Flow (full featured docs)	1.25 s	0.66 s 🟢	180 ms	0.000	1.10 s
Blog Index	7.52 s 🔻	0.51 s 🟢	48 ms	0.001	20.37 s 🔻
Blog Post (sample)	1.80 s 🔻	0.49 s	48 ms	0.000	0.60 s 🟢
VS Page (sample)	1.20 s	0.54 s	62 ms	0.000	0.92 s
Plugins Landing	0.99 s 🟢	0.48 s	104 ms 🔻	0.000	2.04 s 🔻
Plugin Page (sample)	0.87 s	0.51 s	49 ms 🔻	0.051	1.78 s
Plugin Debug Page (sample)	0.89 s	0.53 s	86 ms	0.001	1.86 s 🔻
Plugin Debug Return Page (sample)	0.96 s 🟢	0.53 s	90 ms	0.025	1.55 s
Blueprints Landing	1.42 s	0.79 s	8 ms 🟢	0.000	1.97 s 🔻
Blueprint Audit Logs CSV Export	0.97 s 🟢	0.58 s	268 ms 🔻	0.485	2.14 s

Legend

🟢 improved  ·  🔻 regressed  ·  (blank) no significant change
Score threshold: ±10 pts  ·  Metric threshold: ±30% of baseline

[vfanucci]

Very low priority on this one