This topic describes how to configure HTTP Strict Transport Security (HSTS). After you configure HSTS, clients such as browsers can establish only HTTPS connections to points of presence (POPs). This improves security.
Prerequisites
An SSL certificate is configured. For more information, see Configure an SSL certificate.
Background information
HSTS is a policy mechanism that allows websites to accept only HTTPS connections.
After you configure HSTS, the first time a client connects to a POP over HTTPS, the POP uses a response header to inform the client that only HTTPS requests are allowed within a period of time and blocks HTTP requests. The HSTS response header is in the Strict-Transport-Security:max-age=expireTime [;includeSubDomains] [;preload] format. The following table describes the parameters.
Parameter | Description |
max-age | The time-to-live (TTL) of the HSTS header. Unit: seconds. Clients can initiate only HTTPS requests during this period. |
includeSubDomains | Optional. If you configure this parameter, HSTS is enabled for the domain name and its subdomains. |
preload | Optional. This parameter allows you to add the domain name to the HSTS preloaded list of the browser. |
The client uses HSTS for the domain name until the TTL that is specified by the max-age parameter expires. During the TTL, HTTP requests are blocked and converted to HTTPS requests.
After you enable HSTS, POPs redirect the first HTTP request that is initiated by a client to HTTPS with HTTP 301 status code to prevent security risks as the HSTS setting has not been synchronized to clients.
Limits
After you configure HSTS, clients can access POPs only over HTTPS. Do not configure URL redirection to HTTP at the same time.
HSTS applies only to domain names and does not apply to IP addresses.
HSTS takes effect on clients. Disabling HSTS does not immediately take effect. You need to refresh the HSTS status and send the HSTS status to the client when the client initiates the next HTTPS request.
Procedure
Log on to the Alibaba Cloud CDN console.
In the left-side navigation pane, click Domain Names.
On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
In the left-side navigation tree of the domain name, click HTTPS.
In the HSTS section, click Modify.Modify
In the Configure HSTS dialog box, turn on HSTS, and configure the Expire In and Include Subdomains parameters.
Expire In: Specify the TTL for the HSTS response header that you want to cache on the browser. We recommend that you set the value to 60. Unit: days. If you set the value to 0, HSTS is disabled.
Include Subdomains: Make sure that HTTPS is enabled for all subdomains of the accelerated domain name before you turn on this switch. If you do not enable HTTPS for all subdomains of the accelerated domain name, the subdomains cannot be accessed after the requests are redirected to HTTPS. Proceed with caution.
Click OK.