All Products
Search

This Product

    Edge Security Acceleration:HSTS

    Document Center

    Edge Security Acceleration:HSTS

    Last Updated:Jul 23, 2025

    You can enable the HTTP Strict Transport Security (HSTS) feature to force clients such as browsers to use HTTPS to establish connections to Edge Security Acceleration (ESA) points of presence (POPs). This helps improve connection security.

    HSTS

    HSTS is a method used to protect visitors by ensuring that their browsers always connect to a website over HTTPS.

    After you configure HSTS, when a client connects to an Edge Security Acceleration (ESA) node using HTTPS for the first time, the ESA node uses the Strict-Transport-Security response header to notify the client that only HTTPS requests are allowed for a subsequent period. The structure of the HSTS response header is: Strict-Transport-Security:max-age=expireTime [;includeSubDomains] [;preload]. The following table describes the parameters.

    Parameter

    Description

    max-age

    The time-to-live (TTL) of the HSTS header. Unit: seconds. Clients can initiate only HTTPS requests during this period.

    includeSubDomains

    Optional. If you configure this parameter, HSTS is enabled for the domain name and its subdomains.

    preload

    Optional. This parameter lets you add the domain name to the HSTS preloaded list of the browser.

    Before you begin

    • Before you enable HSTS, make sure that an SSL/TLS certificate is configured and the edge certificate is configured for your website. For more information, see Configure edge certificates.

    • HSTS applies only to domain names and does not apply to IP addresses.

    • After you enable HSTS, Edge Security Acceleration (ESA) POPs force redirect HTTP requests to HTTPS to prevent security risks if the client initiates the first access over HTTP. This is because the HSTS policy is not synchronized to the client.

    • After you enable HSTS, the client can access Edge Security Acceleration (ESA) POPs only over HTTPS. Do not configure the force redirect HTTPS to HTTP feature and the HSTS feature at the same time.

    • HSTS takes effect on clients. Disabling HSTS does not immediately take effect. You need to refresh the HSTS status and send the HSTS status to the client when the client initiates the next HTTPS request.

    Enable HSTS

    1. In the ESA console, select Websites, and click the target site in the Website column.

    2. In the navigation pane on the left, select SSL/TLS > Edge Certificates.

    3. In the HSTS section, click Configure, turn on Status, and then click OK.

      image