Does anyone know why we can’t use the HTTP Strict-Transport-Security response header (HSTS) in SCA? My IT department reports that it’s a best-practice to inform returning visitors to only ever connect over HTTPS. Thus, helping mitigate the risks of man-in-the-middle scenarios. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security I tried to set the response header in the .ssp, but generated an SSS_INVALID_HEADER and was presented with a SuiteScript notice that one or more of my headers were not valid. After some digging I found SuiteAnswer #44733… and Strict-Transport-Security was listed as a blocked header. Oof. Any ideas?

Did this come up because your SC(A) site is not passing PCI compliance? We had the same issue and had to get support to turn it on for us.

It was a compliance scan — but not PCI, per se. Thank you for the tip, @wes_w! I’ll reach out to support.

It is supported within SuiteCommerce but not by default. When we introduced it, we were concerned that automatically turning it on would break some legacy sites so we made it opt-in only.