November 8, 2018

HTTP Strict Transport Security (HSTS)

  TLS, Zone Management

     

HTTP Strict Transport Security (HSTS) is a web security policy that asks web browsers (and other clients) to only connect over HTTPS.

The settings for HSTS can found under the Crypto settings tab on the left side menu of the zone dashboard

To enable HSTS, check HTTP Strict Transport Security (HSTS). Enabling HSTS will also enable the redirect from HTTP to HTTPS, which redirects clients that connect over HTTP to HTTPS.

The Max age setting is specified in number of seconds, up to 3 years.

The Include subdomains setting indicates to clients if the HSTS policy applies to other subdomains of your domain.

The Preload setting adds the preload directive to the HSTS rule. This is required if you intend to submit your domain to the HSTS Preload List.

When a client connects, the HSTS policy will be sent telling the browser to only connect over HTTPS. The browser will not recheck the policy until Max age in seconds has passed.

Even though NuevoCloud encourages use of HSTS to improve the security of the web, this option has a long term impact on how clients connect to your website. After it has been enabled, it takes up to Max age seconds to disable, since clients will not recheck the HSTS policy until Max age in seconds has passed. Therefore, you should strongly consider whether you intend to enable HTTPS-only long-term before enabling HSTS on your website.