This topic describes how to configure HTTP Strict Transport Security (HSTS). After HSTS is enabled, a client, such as a browser, can establish only HTTPS connections to Dynamic Route for CDN (DCDN). This reduces interception risks when you access web pages for the first time.

Prerequisites

Make sure an HTTPS certificate is configured. For more information, see Configure an SSL certificate.

Background information

If HTTPS is enabled for your website, HTTP requests destined for the website are redirected to the HTTPS version of the website based on the 301 or 302 status code. This occurs if you enter HTTP URLs in the address bars of browsers or click HTTP URLs. During the redirect process, the request and response messages may be intercepted. Consequently, the redirected requests cannot be sent to the servers. HSTS is introduced to resolve this issue.

HSTS is a response header: Strict-Transport-Security: max-age=expireTime [; includeSubDomains] [; preload]. The following table describes the parameters in the header.
Parameter Description
max-age The unit is second.
Strict-Transport-Security Assume that a browser processes HTTP requests that are sent from a domain name and the HSTS header of the domain name has not expired. In this case, the browser redirects the HTTP requests to the HTTPS versions of web pages based on the 307 status code. This prevents interception risks that may arise when the HTTP request is redirected between the server and browser based on the 301 and 302 status codes.
includeSubDomains Optional. If you specify this parameter, the preceding parameters take effect on all the subdomains of the domain name.
preload Optional. If you specify this parameter, the domain name is included in the preload list.
Note
  • Before HSTS takes effect, the first HTTP request is redirected to the HTTPS version of the web page based on the 301 or 302 status code.
  • The HSTS response header takes effect on the responses to HTTPS requests. The header does not take effect on the responses to HTTP requests.
  • HSTS takes effect on only port 443.
  • HSTS takes effect only on domain names. It does not take effect on IP addresses.

Procedure

  1. Log on to the DCDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage, and click Configure in the Actions column.
  4. In the left-side navigation pane on the details page of the specified domain, click HTTPS Settings.
  5. In the HSTS section, turn on HSTS, and specify the Expire In and Include Subdomains parameters.
    Configure HSTS
  6. Click OK.