HTTP Strict Transport Security (HSTS) enhances web application security by enforcing HTTPS connections. Configure the HSTS plug-in to instruct browsers to communicate with your server over HTTPS only.
Plug-in type
Throttling plug-in.
Description
The HSTS plug-in instructs browsers to communicate with the server over HTTPS only for a specified duration. Unlike forceful HTTPS redirection, HSTS triggers a 307 internal redirect in the browser, converting HTTP requests to HTTPS without additional network round-trips.
How it works
The HSTS plug-in adds the strict-transport-security header to all HTTPS responses with the following fields:
-
max_age: duration in seconds that the browser enforces HTTPS-only access. -
include_sub_domains: whether to enforce HTTPS for the current domain and all subdomains.
Fields
|
Field |
Data type |
Required |
Default value |
Description |
|
max_age |
number |
No |
15724800 |
Duration in seconds that the browser enforces HTTPS-only access. |
|
include_sub_domains |
bool |
No |
false |
Whether to enforce HTTPS for the current domain and all subdomains. |
If include_sub_domains is set to true, the current domain and all subdomains enforce HTTPS-only access. All subdomains must support HTTPS. Otherwise, users cannot access the subdomains. We recommend that you configure all subdomains to support HTTPS before you enable this option.