so with HSTS it is more about how you're servicing the domain than checking a box. You would implement Cloud Run behind CDN, an Endpoint or Apigee inorder to force the redirect to HTTPS (Strict-Transport-Security - HTTP | MDN (mozilla.org)) at the browser as Cloud Run is a backend service. Your service can also be built to pull the key from certificate manager and putting Cloud Run in a NEG behind a SSL Load Balancer Set up Cloud Run, Cloud Functions, or App Engine  |  Cloud CDN  |  Google Cloud. In all cases you would need to manage the domain name(Mapping custom domains  |  Cloud Run Documentation  |  Google Cloud) as cloud run deploys in the *run.app domain space and does not support custom headers at this time. If cloud run is internal only, Private Access and a Private Connect can be configured to enforce HTTPS with cloud run having a private DNS record - Context Aware and IAP policies can enforce the secure protocols and header requirements.