This topic describes how to configure HTTP Strict Transport Security (HSTS). After HSTS is configured, clients such as browsers can establish only HTTPS connections to Dynamic Route for CDN (DCDN) nodes. HSTS protects requests from hijacking.

Prerequisites

An SSL certificate is configured for the domain name. For more information, see Configure an SSL certificate.

Background information

HSTS is a policy mechanism that allows websites to accept only HTTPS connections. Websites can use HSTS to demand that clients such as browsers must use HTTPS. All HTTP requests and untrusted SSL certificates are rejected. HSTS prevents man-in-the-middle (MITM) attacks during the first visits from clients.

If HSTS is disabled and HTTPS is enabled on DCDN nodes, HTTP requests sent to the DCDN nodes are redirected to HTTPS based on the HTTP 301 or 302 status code when redirection from HTTP to HTTPS is enabled. The first HTTP request sent from a client to a DCDN node may be hijacked or tampered with. Hijacking and tampering raise security issues. If HSTS is enabled, clients can access the origin server only over HTTPS. This prevents requests from hijacking and tampering.

The HSTS response header is provided in the format of Strict-Transport-Security:max-age=expireTime [;includeSubDomains] [;preload]. The following table describes the parameters in the header.
Parameter Description
max-age The time-to-live (TTL) of the HSTS header. Unit: seconds.
includeSubDomains Optional. If this parameter is set, HSTS is enabled for the domain name and all subdomains of the domain name.
preload Optional. This parameter allows you to add the domain name to the HSTS preloaded list of the browser.

Limits

  • Before HSTS takes effect, you can Configure force redirect to redirect the first HTTP request from a client to HTTPS by using 301 redirection.
  • The HSTS response header applies to the responses to HTTPS requests but does not apply to the responses to HTTP requests.
  • HSTS applies only to port 443.
  • HSTS applies only to domain names. It does not apply to IP addresses.

Procedure

  1. Log on to the DCDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage, and click Configure in the Actions column.
  4. In the left-side navigation pane on the details page of the specified domain name, click HTTPS Settings.
  5. In the HSTS section, turn on HSTS and specify the Expire In and Include Subdomains parameters.
    • Expire In: specifies the TTL for the HSTS response header to be cached on the browser. You can specify a value between 0 and 730. We recommend that you set the value to 60. Unit: days.
    • Include Subdomains: Proceed with caution. Make sure that HTTPS is enabled for all subdomains of the accelerated domain name. Otherwise, URLs to the subdomains become inaccessible after the requests are redirected to HTTPS.
    Configure HSTS
  6. Click OK.