HTTP Strict Transport Security (HSTS) is a security protocol that is designed to enhance the security of web applications. This topic describes how to configure the hsts plug-in.
Plug-in type
Throttling plug-in.
Description
The hsts plug-in is used to inform the browser that only HTTPS can be used to communicate with the server for a specific period of time. The difference between HSTS and the forceful HTTPS redirection feature is that HSTS can directly use the status code 307 in the browser to convert HTTP requests into HTTPS requests without performing additional network requests.
Principle
The hsts plug-in adds the strict-transport-security header to all HTTPS responses. Fields:
max_age: the maximum duration in seconds for which HTTPS is forcefully used to access the website.include_sub_domains: specifies whether the current domain name and subdomain names forcefully use HTTPS to access the website.
Fields
Name | Data type | Required | Default value | Description |
max_age | number | No | 15724800 | The maximum duration in seconds for which HTTPS is forcefully used to access the website. |
include_sub_domains | bool | No | false | Specifies whether the current domain name and subdomain names forcefully use HTTPS to access the website. |
If include_sub_domains is set to true, the current domain name and subdomain names forcefully use HTTPS to access the website. You must make sure that all subdomain names support HTTPS. Otherwise, users cannot access the subdomains. Before you set include_sub_domains to true, we recommend that you configure all subdomain names to support HTTPS.