I was checking Strict Transport Header which Http endpoint serving to UI enables.
Does it make sense to have the headers in the GRPC services not exposed to internet or serving to UI directly?
If so, what will be the way to enable Strict Transport Header for GRPC services?
I have seen that Grpc trailing-metadata headers can be sent with the response.
But is it the correct way to add the header?
The services are written in Go and I am using GRPC.
HTTP Strict Transport Security (HSTS) is only useful if the client also supports it. gRPC clients don't, so adding such headers doesn't add any value.
The reason why HSTS is not useful if the client does not support it, is because the headers only say "you should only access this resource over HTTPS", but if the client just ignores that, it can continue to make plain HTTP requests (assuming the server supports both HTTP and HTTPS).
In addition, HSTS only works after the client accessed the resource at least once and remembered the headers it received at that time. This isn't true for most server-to-server communications.
If you want to ensure that data to/from your gRPC services and clients is encrypted, you can use SSL/TLS as shown on https://grpc.io/docs/guides/auth/#using-client-side-ssltls.