Oxygen Deployment Overrides Custom HSTS Header in Headless Hydrogen Remix Theme

[intuji-sanchay]

I have built a custom Hydrogen theme using Remix and deployed it on Shopify Oxygen.
During a security scan using UpGuard Webscan (webscans > Domain), two issues were reported on my storefront:

1. • CSP (Content Security Policy) issue
2. • HSTS (Strict-Transport-Security) issue

I was able to fix the CSP issue by updating the entry.server.ts file.
However, the HSTS header cannot be fixed, because Oxygen overrides the custom value during deployment.

What I Did:

1. Added the following HSTS header inside entry.server.ts:
   responseHeaders.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');

   OR Added the following HSTS header inside server.ts:
   response.headers.set("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload;")

2. When running the Hydrogen app locally, the header shows correctly:
   Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

3. After deploying the same code to Oxygen, the HSTS header is overwritten by the default Oxygen configuration and shows:
   Strict-Transport-Security: max-age=31536000;

Because of this override, UpGuard’s “Breach Risk” test still fails.

Problem:

Oxygen does not allow Hydrogen developers to fully control security headers such as:

• Strict-Transport-Security

Even after setting custom headers in Hydrogen, Oxygen replaces the HSTS header with its own value.

Request:

Please:

1. Allow custom HSTS headers to be applied from Hydrogen app code,

   OR

2. Provide a configuration option to override Oxygen’s default security headers.

   OR

3. Please set the Strict-Transport-Security: max-age=31536000; includeSubDomains; preload on oxygen configuration.

This is important because external security tools (like UpGuard) flag the storefront as vulnerable, and the issue cannot be fixed at the theme/app level.

Impact:

1. Security scanners report “High Risk” due to missing/incorrect HSTS header.

2. Developers cannot meet compliance/security requirements.

3. No workaround exists since Oxygen forcibly overrides the header.