This topic describes how to configure HTTP Strict Transport Security (HSTS). After you configure HSTS, clients such as browsers can establish only HTTPS connections to points of presence (POPs). This improves security.
Prerequisites
An SSL certificate is configured. For more information, see Configure an SSL certificate.
Background information
HSTS is a policy mechanism that allows websites to accept only HTTPS connections.
After you configure HSTS, the first time a client connects to a POP over HTTPS, the POP uses a response header to inform the client that only HTTPS requests are allowed within a period of time and blocks HTTP requests. The HSTS response header is in the Strict-Transport-Security:max-age=expireTime [;includeSubDomains] [;preload] format. The following table describes the parameters.
Parameter | Description |
max-age | The time-to-live (TTL) of the HSTS header. Unit: seconds. Clients can initiate only HTTPS requests during this period. |
includeSubDomains | Optional. If you configure this parameter, HSTS is enabled for the domain name and its subdomains. |
preload | Optional. This parameter allows you to add the domain name to the HSTS preloaded list of the browser. |
The client uses HSTS for the domain name until the TTL that is specified by the max-age parameter expires. During the TTL, HTTP requests are blocked and converted to HTTPS requests.
After you enable HSTS, the first HTTP request that is initiated by the client is allowed because the HSTS setting is not synchronized to the client. In this case, the request may be intercepted or tampered with, which poses security risks. You can configure URL redirection to redirect HTTP to HTTPS. This way, POPs redirect HTTP to HTTPS based on HTTP 301 or 302 status code to prevent security risks.
Limits
After you configure HSTS, clients can access POPs only over HTTPS. Do not configure URL redirection to HTTP at the same time.
The HSTS response header applies to responses to HTTPS requests but does not apply to responses to HTTP requests. Before HSTS takes effect, you can enable the force redirect feature to redirect the first HTTP request from a client to HTTPS by using 301 redirection. For more information, see Configure URL redirection.
HSTS applies only to domain names and does not apply to IP addresses.
HSTS takes effect on clients. Disabling HSTS does not take effect immediately. You need to refresh the HSTS status and send the HSTS status to clients when the client initiates the next HTTPS request.
Procedure
Log on to the Alibaba Cloud CDN console.
In the left-side navigation pane, click Domain Names.
On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
In the left-side navigation tree of the domain name, click HTTPS.
In the HSTS section, click Modify.
In the Configure HSTS dialog box, turn on HSTS, and configure the Expire In and Include Subdomains parameters.
Expire In: Specify the TTL for the HSTS response header that you want to cache on the browser. We recommend that you set the value to 60. Unit: days. If you set the value to 0, HSTS is disabled.
Include Subdomains: Make sure that HTTPS is enabled for all subdomains of the accelerated domain name before you turn on this switch. If you do not enable HTTPS for all subdomains of the accelerated domain name, the subdomains cannot be accessed after the requests are redirected to HTTPS. Proceed with caution.
Click OK.