This topic describes how to configure HTTP Strict Transport Security (HSTS). After HSTS is configured, a client can establish only HTTPS connections to Dynamic Route for CDN (DCDN ). HSTS helps to protect against cookie hijacking.

Prerequisites

Make sure an HTTPS certificate is configured. For more information, see Configure HTTPS certificates.

Background information

When HTTPS is enabled for your website, all HTTP requests destined for the website are redirected to HTTPS through 301 or 302 errors regardless of whether you enter an HTTP URL in the address bar of the browser or directly click an HTTP URL. During the redirection process, the request and response messages may be hijacked and consequently the redirected requests cannot be sent to the server. HSTS is introduced to resolve this issue.

HSTS is a response header, Strict-Transport-Security: max-age=expireTime [; includeSubDomains] [; preload]. The following table describes the parameters in the header.
Parameter Description
max-age The maximum time period during which the requested resource is cached. Unit: seconds.
Strict-Transport-Security If the Strict-Transport-Security parameter in the HTTP request from the domain has not expired within the time period specified by the max-age parameter, the browser redirects the HTTP request to HTTPS through a 307 error. This helps to prevent hijacking risks that may arise when the HTTP request is redirected between the server and browser through a 301 or 302 error.
includeSubDomains Optional. If this parameter is specified, the preceding parameters take effect on all subdomains of the domain.
preload Optional. If this parameter is specified, the domain is included in the HSTS preload list.
Note
  • Before HSTS takes effect, the first HTTP request is redirected to HTTPS through a 301 or 302 error.
  • The HSTS response header takes effect on the responses to HTTPS requests but not on the responses to HTTP requests.
  • HSTS takes effect only on port 443.
  • HSTS takes effect only on domain names. It does not take effect on IP addresses.

Procedure

  1. Log on to the Dynamic Route for CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the target domain name and click Configure.
  4. In the left-side navigation pane of the specified domain, click HTTPS Settings.
  5. In the HSTS section, click Modify.
  6. In the Configure HSTS dialog box, turn on HSTS, enter a time-to-live value in the Expire In field, and specify whether to turn on Include Subdomains.
    HSTS设置
  7. Click OK.