Edge Security Acceleration:HSTS

HSTS

HSTS is a method that is used to protect visitors by ensuring that their browsers always connect to a website over HTTPS.

After you enable the HSTS feature, ESA POPs use the Strict-Transport-Security header to notify the client that only HTTPS requests are allowed during the subsequent period of time when the client initiates the first access over HTTPS. The structure of the HSTS header is Strict-Transport-Security:max-age=expireTime [;includeSubDomains] [;preload]. The following table describes the parameters in the structure.

Before you begin

• Before you enable HSTS, make sure that an SSL/TLS certificate is configured and the SSL/TLS feature is enabled for your website. For more information, see Configure edge certificates.

• HSTS applies only to domain names and does not apply to IP addresses.

• After you enable HSTS, ESA POPs force redirect HTTP requests to HTTPS to prevent security risks if the client initiates the first access over HTTP. This is because the HSTS policy is not synchronized to the client.

• After you enable HSTS, the client can access ESA POPs only over HTTPS. Do not configure the force redirect HTTPS to HTTP feature and the HSTS feature at the same time.

• HSTS takes effect on clients. Disabling HSTS does not immediately take effect. You need to refresh the HSTS status and send the HSTS status to the client when the client initiates the next HTTPS request.

Enable HSTS

In the ESA console, choose Websites and click the website name you want to manage.

In the left-side navigation pane, choose SSL/TLS > Edge Certificates.

1. In the HSTS section, click Configure, turn on Status, and then click OK.