HTTP Strict Transport Security (HSTS) is an opt-in security enhancement specified by a web application using the HTTP response header “Strict-Transport-Security”, which tells the browsers that they should only be communicated using secure HTTPS connections, and not using plaintext HTTP. The HSTS policy protects the web applications from the man-in-the-middle attacks, such as protocol downgrade, SSL stripping, cookie hijacking, etc.
When a service with HSTS policy gets a request using HTTP, it auto-redirects the request to HTTPS the first time and injects the HSTS response header. An HSTS compliant browser will not allow subsequent requests to the same domain or sub-domains (see below) to be sent over HTTP; it will automatically convert these requests to HTTPS before they are sent.
HSTS disallows users to ignore SSL-related warnings and helps mitigate MITM attacks on SSL, such as SSL stripping. It also prevents users from using HTTP links embedded inadvertently in an HTTPS-only application.
Steps to Enable HSTS for a Service
Perform the following steps to enable HSTS for a service:
- Go to the BASIC > Services page.
- Click Edit next to the service to which you want to enable HSTS policy.
- Scroll down to the SSL section, click Show Advanced Settings and do the following:
- Enable HSTS – Set to Yes.
- HSTS Max-Age – Specify the maximum time in seconds that the HSTS policy should remain valid for the service.
- Include HSTS Sub-Domains – When set to Yes, the HSTS policy is enforced on all the sub-domains in the service.
- Modify the values for other parameters (if required).
- Click Save.