When you input HTTP link in the browser or click it directly, the server redirects 301 and 302 of HTTP request to HTTPS. The operation process may be hijacked, so the redirected request is not sent to the server; enable HSTS (HTTP Strict Transport Security) feature and you can compel the client (such as browser) to use HTTPS and server to create connection to reduce the risk of being hijacked during the first access.
Response header syntax of HSTS:
Strict-Transport-Security: max-age=expireTime [; includeSubDomains] [; preload]，The parameter is described as shown in the table below.
|max-age||The essential parameter, with the unit of second, means the expiry time of HSTS Header.|
|Strict-Transport-Security||If Strict-Transport-Security does not expire when the browser processes the HTTP access to the domain name while the browser is caching, use 307 to redirect to HTTPS inside the browser, so as to avoid the risk of hijacking 301/302 redirection between browser and server.|
|includeSubDomains||Optional parameters. If this parameter is included, it means that HSTS protection is enabled for the current domain name and all its sub-domain names.|
|preload||The optional parameter supports preload list.|
Before enabling HSTS feature, you need to make sure that HTTPS certificate has been configured successfully. Please refer to Certificate Management for more information about configuration.
- Log into the CDN Management Console and enter the “Content Delivery Network (CDN)" page.
- Click Domain Name Management on the left navigation bar.
- Enter the domain name management page, and click the Management of the target domain name operation column.
- Enter “CDN Domain Name Details” page, and select HTTPS Configuration tag on the top navigation bar of the page.
- Enter the HTTPS configuration page, click Edit in the module of HSTS Configuration.
- Set HSTS parameter, select Enable, and fill the expiry time and whether to contain sub-domain names.
- The expiration time is the cache time of HSTS response header in the browser. Suggest filling in 60 days.
- If you choose to enable “Include sub-domain names ", you have to make sure that HTTPS is enabled for all sub-domain names of this acceleration.
- After clicking Save, you can see that HSTS has been set successfully in the module of HSTS configuration. A message indicating that "the configuration has been updated successfully, and will take effect in about five minutes" will appear on the page.