Edge Security Acceleration:HSTS

HSTS

HTTP is a web security policy that allows a website to declare that it can be accessed only through secure connections.

After you configure HSTS, when a client connects to an ESA POP using HTTPS for the first time, the ESA POP adds the Strict-Transport-Security response header. This header instructs the client to use only HTTPS for subsequent requests and to block HTTP requests. The HSTS response header has the following structure: Strict-Transport-Security:max-age=expireTime [;includeSubDomains] [;preload]. The following table describes the parameters.

Notes

• Before you enable HSTS, ensure that your site has a properly configured SSL/TLS certificate and an edge certificate. For more information, see Configure edge certificates.

• The HSTS policy applies only to domain names, not to IP addresses.

• After you configure HSTS, if a client's first request to your site is over HTTP, the ESA POP forces a redirection to HTTPS. This redirection occurs because the HSTS policy is not yet cached by the client, which helps prevent potential security risks.

• After you configure HSTS, clients can access ESA POPs only over HTTPS. Therefore, do not enable a forced redirection from HTTPS to HTTP at the same time.

• The HSTS policy is enforced by the client. After you disable HSTS, the change does not take effect immediately. The client's cached policy is updated during the next HTTPS request.

Enable HSTS

1. In the ESA console, select Websites. In the Website column, click the target site.

2. In the navigation pane on the left, select SSL/TLS > Edge Certificates.

3. In the HSTS section, click Configure, enable the Status switch, and then click OK.