All Products
Search
Document Center

API Gateway:HSTS

Last Updated:Jun 02, 2026

HTTP Strict Transport Security (HSTS) enhances web application security by enforcing HTTPS connections. Configure the HSTS plug-in to instruct browsers to communicate with your server over HTTPS only.

Plug-in type

Throttling plug-in.

Description

The HSTS plug-in instructs browsers to communicate with the server over HTTPS only for a specified duration. Unlike forceful HTTPS redirection, HSTS triggers a 307 internal redirect in the browser, converting HTTP requests to HTTPS without additional network round-trips.

How it works

The HSTS plug-in adds the strict-transport-security header to all HTTPS responses with the following fields:

  • max_age: duration in seconds that the browser enforces HTTPS-only access.

  • include_sub_domains: whether to enforce HTTPS for the current domain and all subdomains.

Fields

Field

Data type

Required

Default value

Description

max_age

number

No

15724800

Duration in seconds that the browser enforces HTTPS-only access.

include_sub_domains

bool

No

false

Whether to enforce HTTPS for the current domain and all subdomains.

Note

If include_sub_domains is set to true, the current domain and all subdomains enforce HTTPS-only access. All subdomains must support HTTPS. Otherwise, users cannot access the subdomains. We recommend that you configure all subdomains to support HTTPS before you enable this option.