I found out that the HSTS header can be added in the /etc/gitlab/gitlab.rb with the following command:
nginx['custom_gitlab_server_config'] = "add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload;' always;"
But there is a defualt HSTS header added in the /var/otp/gitlab/nginx/conf/gitlab-http.conf as follows:
add-heaer Strict-Transport-Security "max-age=63072000";
When both commands are added, there are 2 HSTS header displayed in the Analyse your HTTP response headers (securityheaders.com).
If I modify the /var/opt/gitlab/nginx/conf/gitlab-http.conf to add_header Strict-Transport-Security ‘max-age=31536000; includeSubDomains; preload;’ always;, it still shows add-heaer Strict-Transport-Security “max-age=63072000”; after executing gitlab-ctl reconfigure.
How to have only one HSTS header?