In addition to what @p-sampath mentioned, when working with Azure infrastructure, think about which layer to make changes in. If you have any infrastructure like Azure Application Gateway, Azure Front Door, or other reverse proxies/load balancers involved, it's likely they are the real and final server to the client. In that case, follow these steps [here](https://learn.microsoft.com/en-us/azure/application-gateway/hsts-http-headers-portal) to have your ApplicationGateway add a rewrite ruleset to inject the strict-transport-security header into the response for the https listener. Otherwise, any changes you make to the front end or the App Service settings directly don't even make it past the gateway to the client.