HTTP Strict Transport Security (HSTS) is an opt-in security enhancement specified by a web application using the HTTP response header “Strict-Transport-Security”. This tells the browsers that they should only be communicating using secure HTTPS connections and not plain text HTTP. The HSTS policy protects the web applications from the man-in-the-middle attacks, such as protocol downgrade, SSL stripping, cookie hijacking, etc.
When a service with HSTS policy gets a request using HTTP, it automatically redirects the request to HTTPS the first time and injects the HSTS response header. An HSTS compliant browser will not allow subsequent requests to the same domain or sub-domains (see below) to be sent over HTTP; it will automatically convert these requests to HTTPS before they are sent.
HSTS disallows users to ignore SSL-related warnings and helps mitigate MITM attacks on SSL, such as SSL stripping. It also prevents users from using HTTP links inadvertently embedded in an HTTPS-only application.
Steps to Enable HSTS for a Service
To enable HSTS for a service:
- Go to the BASIC > Services page.
- Click Edit next to the service you want to enable HSTS policy.
- Scroll down to the SSL section, click Show Advanced Settings, and do the following:
- Enable HSTS – Set to Yes to enable.
- HSTS Max-Age – Specify the maximum time in seconds that the HSTS policy should remain valid for the service.
- Include HSTS Sub-Domains – When set to Yes, the HSTS policy is enforced on all the sub-domains in the service.
- Modify the values for the other parameters (if required).
- Click Save.