This topic describes how to configure HTTP Strict Transport Security (HSTS). After HSTS is configured, a client can establish only HTTPS connections to Alibaba Cloud Content Delivery Network (CDN). HSTS allows you to protect against cookie hijacking.
Prerequisites
Background information
After HTTPS is enabled for your website, the requests that are destined for HTTP URLs are redirected to the specified URLs that use HTTPS based on the HTTP status codes 301 and 302. This applies when you enter an HTTP URL in the address bar of the browser or click an HTTP URL. During the redirect process, the request may be hijacked. As a result, the redirected requests cannot be sent to the origin server of the website. HSTS is introduced to resolve this issue.
After a browser receives an HTTP request, if the HSTS header for the domain name does not expire, the browser redirects the request to HTTPS. The browser also returns the HTTP status code 307. This way, the 301 or 302 redirect requests between the browser and the origin server cannot be intercepted.
Strict-Transport-Security:max-age=expireTime [;includeSubDomains] [;preload]
. The following table describes the parameters in the header.
Parameter | Description |
---|---|
max-age | The maximum time period during which the requested resource is cached. Unit: seconds. |
includeSubDomains | Optional. If this parameter is set, the preceding parameters apply to all subdomains of the domain name. |
preload | Optional. This parameter allows you to add the domain name to the HSTS preloaded list of the browser. |
- Before HSTS takes effect, the first HTTP request is redirected to HTTPS based on the HTTP status codes 301 or 302.
- The HSTS response header applies to the responses to HTTPS requests, but does not apply to the responses to HTTP requests.
- HSTS applies to port 443 rather than other ports.
- HSTS applies to domain names rather than IP addresses.