This topic describes how to configure HTTP Strict Transport Security (HSTS). After HSTS is enabled, a client, such as a browser, can establish only HTTPS connections to Dynamic Route for CDN (DCDN). This reduces interception risks when you access web pages for the first time.
Prerequisites
Background information
If HTTPS is enabled for your website, HTTP requests destined for the website are redirected to the HTTPS version of the website based on the 301 or 302 status code. This occurs if you enter HTTP URLs in the address bars of browsers or click HTTP URLs. During the redirect process, the request and response messages may be intercepted. Consequently, the redirected requests cannot be sent to the servers. HSTS is introduced to resolve this issue.
Strict-Transport-Security: max-age=expireTime [; includeSubDomains] [; preload]
. The following table describes the parameters in the header.
Parameter | Description |
---|---|
max-age | The unit is second. |
Strict-Transport-Security | Assume that a browser processes HTTP requests that are sent from a domain name and the HSTS header of the domain name has not expired. In this case, the browser redirects the HTTP requests to the HTTPS versions of web pages based on the 307 status code. This prevents interception risks that may arise when the HTTP request is redirected between the server and browser based on the 301 and 302 status codes. |
includeSubDomains | Optional. If you specify this parameter, the preceding parameters take effect on all the subdomains of the domain name. |
preload | Optional. If you specify this parameter, the domain name is included in the preload list. |
- Before HSTS takes effect, the first HTTP request is redirected to the HTTPS version of the web page based on the 301 or 302 status code.
- The HSTS response header takes effect on the responses to HTTPS requests. The header does not take effect on the responses to HTTP requests.
- HSTS takes effect on only port 443.
- HSTS takes effect only on domain names. It does not take effect on IP addresses.