This topic describes how to configure HTTP Strict Transport Security (HSTS). After HSTS is configured, a client can only establish HTTPS connections.
Prerequisites
Background information
When HTTPS is enabled for your website, all HTTP requests destined for the website are redirected to HTTPS through 301 and 302 errors regardless whether you enter an HTTP URL in the address bar of the browser or directly click an HTTP URL. During the redirection process, the request and response messages may be hijacked and consequently the redirected requests cannot be sent to the server. HSTS is introduced to resolve this issue.
HSTS is a response header,
Strict-Transport-Security: max-age=expireTime [; includeSubDomains] [; preload]. The following table describes the parameters in the header.
| Parameter | Description |
|---|---|
| max-age | The maximum time period during which the requested resource is cached. Unit: second. |
| Strict-Transport-Security | Within the time period specified by the max-age parameter, if the Strict-Transport-Security parameter in the HTTP request from the domain has not expired, the browser redirects the HTTP request to HTTPS through a 307 error. This helps to prevent hijacking risks that may arise when the HTTP request is redirected between the server and browser through a 310 or 302 error. |
| includeSubDomains | Optional. If this parameter is set, the preceding parameters take effect on all subdomains of the domain. |
| preload | Optional. This parameter enables you to preload a list. |
Note
- Before HSTS takes effect, the first HTTP request is redirected to HTTPS through a 301 or 302 error.
- The HSTS response header takes effect on the responses to HTTPS requests but not on the responses to HTTP requests.
- HSTS takes effect only on Port 443 and on domains instead of IP addresses.
Procedure
- In the HSTS section, click Modify.
