This topic describes how to configure HTTP Strict Transport Security (HSTS). After HSTS is configured, clients such as browsers can establish only HTTPS connections to CDN edge nodes. HSTS protects requests from hijacking.


An SSL certificate is configured for the domain name. For more information, see Configure an SSL certificate.

Background information

HSTS is a policy mechanism that allows websites to accept only HTTPS connections. Websites can use HSTS to demand that clients such as browsers must use HTTPS. All HTTP requests and untrusted SSL certificates are rejected. HSTS prevents man-in-the-middle (MITM) attacks during the first visits from clients.

If HSTS is disabled and HTTPS is enabled on CDN edge nodes, HTTP requests sent to the edge nodes are redirected to HTTPS when 301 redirection or 302 redirection is enabled. The first HTTP request sent from a client to an edge node may be hijacked or tampered with. Hijacking and tampering raise security issues. If HSTS is enabled, clients can access the origin server only over HTTPS. This prevents requests from hijacking and tampering.

The HSTS response header is provided in the format of Strict-Transport-Security:max-age=expireTime [;includeSubDomains] [;preload]. The following table describes the parameters in the header.
Parameter Description
max-age The time-to-live (TTL) of the HSTS header. Unit: seconds.
includeSubDomains Optional. If this parameter is set, the preceding parameters apply to all subdomains of the domain name.
preload Optional. This parameter allows you to add the domain name to the HSTS preloaded list of the browser.


  • Before HSTS takes effect, you can Configure URL redirection to redirect the first HTTP requests from clients to HTTPS through 301 redirection.
  • The HSTS response header applies to the responses to HTTPS requests, but does not apply to the responses to HTTP requests.
  • HSTS applies only to port 443.
  • HSTS applies only to domain names. It does not apply to IP addresses.


  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column of the domain name.
  4. In the management pane of the domain name, click HTTPS.
  5. In the HSTS section, click Modify.
  6. In the Configure HSTS dialog box, turn on HSTS.
  7. Set the following parameters.
    • Expire In: specifies a TTL for the HSTS response header to be cached on the browser. You can specify a value between 0 and 730. We recommend that you set the value to 60. Unit: days.
    • Include Subdomains: Proceed with caution. Make sure that HTTPS is enabled for all subdomains of the accelerated domain name. Otherwise, URLs to the subdomains become inaccessible after the requests are redirected HTTPS.
    HSTS settings
  8. Click OK.