Is your feature request related to a problem? Please describe.

I'm looking to improve the security posture of the Web STOMP interface in RabbitMQ by enabling the Strict-Transport-Security (HSTS) header when TLS is enabled. However, I couldn't find any documentation or configuration options confirming whether this is supported by the Web STOMP plugin.

I have also raised this question in the RabbitMQ Users Google Group, and was advised by the RabbitMQ team to open a feature request here.

Describe the solution you'd like

It would be helpful to have support for adding custom HTTP response headers—especially the Strict-Transport-Security header—when using the Web STOMP plugin over TLS. Ideally, this could be configured via rabbitmq.conf.

Describe alternatives you've considered

I considered placing an external reverse proxy (like NGINX or APACHE) in front of RabbitMQ to inject the HSTS header, but we prefer a more streamlined setup where RabbitMQ handles TLS directly without additional infrastructure layers.

Additional context

Here’s a snippet of our current Web STOMP TLS configuration in rabbitmq.conf:

{rabbitmq_web_stomp, [ {tcp_config, []}, {ssl_config, [ {port, ${rabbitmq:web_stomp_port}}, {backlog, 1024}, {cacertfile, "${rabbitmq:ca_bundle_cert_path}"}, {certfile, "${rabbitmq:server_cert_path}"}, {keyfile, "${rabbitmq:server_key_path}"} ]} ] },

We’d appreciate clarification on whether HSTS can be configured for Web STOMP in the current version, and if not, whether this feature could be considered for a future release.