This topic describes how to configure HTTP Strict Transport Security (HSTS). After HSTS is configured, a client can only establish HTTPS connections.

Prerequisites

An HTTPS certificate is configured. For more information, see Configure HTTPS certificates.

Background information

When HTTPS is enabled for your website, all HTTP requests destined for the website are redirected to HTTPS through 301 and 302 errors regardless whether you enter an HTTP URL in the address bar of the browser or directly click an HTTP URL. During the redirection process, the request and response messages may be hijacked and consequently the redirected requests cannot be sent to the server. HSTS is introduced to resolve this issue.

HSTS is a response header, Strict-Transport-Security: max-age=expireTime [; includeSubDomains] [; preload]. The following table describes the parameters in the header.
Parameter Description
max-age The maximum time period during which the requested resource is cached. Unit: second.
Strict-Transport-Security Within the time period specified by the max-age parameter, if the Strict-Transport-Security parameter in the HTTP request from the domain has not expired, the browser redirects the HTTP request to HTTPS through a 307 error. This helps to prevent hijacking risks that may arise when the HTTP request is redirected between the server and browser through a 310 or 302 error.
includeSubDomains Optional. If this parameter is set, the preceding parameters take effect on all subdomains of the domain.
preload Optional. This parameter enables you to preload a list.
Note
  • Before HSTS takes effect, the first HTTP request is redirected to HTTPS through a 301 or 302 error.
  • The HSTS response header takes effect on the responses to HTTPS requests but not on the responses to HTTP requests.
  • HSTS takes effect only on Port 443 and on domains instead of IP addresses.

Procedure

  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the target domain name and click Manage.
  4. In the HSTS section, click Modify.

    HSTS设置
  5. In the displayed Configure HSTS dialog box, turn on the HSTS switch, and set Expire In and Include.
  6. Click OK.