HSTS

HSTS

HSTS is a web security mechanism that declares a site accessible only over HTTPS.

When a client first connects to an ESA POP over HTTPS, the POP returns the Strict-Transport-Security response header, which instructs the client to use HTTPS exclusively for all subsequent requests within the specified period and to block HTTP requests. Header syntax: Strict-Transport-Security:max-age=expireTime [;includeSubDomains] [;preload].

Usage notes

• Before you enable HSTS, configure an SSL/TLS certificate for your site and Configure Edge Certificate. Configure Edge Certificate.

• The HSTS policy applies only to domain names, not to IP addresses.

• On a client's first visit, the HSTS policy has not yet been synchronized to the client. If the client connects over HTTP, the ESA POP forcibly redirects the request to HTTPS to mitigate the security risk.

• After HSTS is enabled, clients access ESA POPs only over HTTPS. Do not configure a force redirect from HTTPS to HTTP.

• HSTS is enforced on the client side. Disabling HSTS does not take effect immediately. Perform a refresh to send the updated HSTS policy to the client during its next HTTPS request.

Enable HSTS

1. In the ESA console, select Site Management, and click the target site in the Website column.

2. In the navigation pane on the left, select Edge Certificates.

3. In the HSTS area, click Configure, turn on the Status switch, and then click OK.

   

Site-level and rule-based configuration

Site-level HSTS applies to all requests. To apply HSTS only to specific requests, use the rule-based HSTS feature, which uses conditions to match request parameters.