We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Enabling HSTS for a Service

  • Last updated on

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement specified by a web application using the HTTP response header “Strict-Transport-Security”, which tells the browsers that they should only be communicated using secure HTTPS connections, and not using plaintext HTTP. The HSTS policy protects the web applications from the man-in-the-middle attacks, such as protocol downgrade, SSL stripping, cookie hijacking, etc.

When a service with HSTS policy gets a request using HTTP, it auto-redirects the request to HTTPS the first time and injects the HSTS response header. An HSTS compliant browser will not allow subsequent requests to the same domain or sub-domains (see below) to be sent over HTTP; it will automatically convert these requests to HTTPS before they are sent.

HSTS disallows users to ignore SSL-related warnings and helps mitigate MITM attacks on SSL, such as SSL stripping. It also prevents users from using HTTP links embedded inadvertently in an HTTPS-only application.

HSTS is different from Instant-SSL where all hard coded HTTP links in the responses are re-written as HTTPS on-the-fly by the Barracuda Web Application Firewall.

Many browsers and Web Clients support the Preloading Directive for HSTS. This directive ensures that the Clients connect to a predefined list of domain only by using the HTTPS protocol. The list of domains can be preloaded into your browser (or client). Refer to the respective browser help for more information.

Steps to Enable HSTS for a Service

Perform the following steps to enable HSTS for a service:

  1. Go to the BASIC > Services page.
  2. Click Edit next to the service to which you want to enable HSTS policy.
  3. Scroll down to the SSL section, click Show Advanced Settings and do the following:
    1. Enable HSTS – Set to Yes.
    2. HSTS Max-Age – Specify the maximum time in seconds that the HSTS policy should remain valid for the service.
    3. Include HSTS Sub-Domains – When set to Yes, the HSTS policy is enforced on all the sub-domains in the service.
    4. Modify the values for other parameters (if required).
    5. Click Save.
Last updated on