Basics
- About the web interface controls
- Always-on DDoS mitigation
- Browser recommendations when using the Fastly web interface
- Content and its delivery
- Fastly POP locations
- Getting started with Fastly
- How caching and CDNs work
- How Fastly's CDN Service works
- HTTP status codes cached by default
- Self-provisioned Fastly services
- Sign up and create your first service
- Working with services
Domains & Origins
Performance
Basics
Dictionaries
Domains & Origins
- Changing origins based on user location
- Connecting to origins
- Enabling global POPs
- Failover configuration
- IPv6 support
- Maintaining separate HTTP and HTTPS requests to origin servers
- Routing assets to different origins
- Setting up redundant origin servers
- Specifying an override host
- Using Fastly with apex domains
Request settings
Cache settings
Headers
Responses
Performance
- About Dynamic Servers
- Cache control tutorial
- Caching configuration best practices
- Controlling caching
- Creating and using pools with Dynamic Servers
- Creating and using server entries with Dynamic Servers
- Enabling API caching
- Enabling automatic gzipping
- Failure modes with large files
- HTTP/2 server push
- Implementing API cache control
- Making query strings agnostic
- Request collapsing
- Segmented Caching
- Serving stale content
- Setting Surrogate-Key headers based on a URL
- Setting Surrogate-Key headers for Amazon S3 origins
- Streaming Miss
Purging
Custom VCL
- Accept-Language header VCL features
- Authenticating before returning a request
- Basic authentication
- Creating location-based tagging
- Custom responses that don't hit origin servers
- Delivering different content to different devices
- Enabling URL token validation
- Guide to VCL
- Isolating header values without regular expressions
- Manipulating the cache key
- IP geolocation variables: Migrating to the new dataset
- Overriding which IP address the geolocation features use
- Response Cookie handling
- Support for the Edge-Control header
- Understanding the different PASS action behaviors
- Using edge side includes (ESI)
- VCL regular expression cheat sheet
Image optimization
Video
Access Control Lists
Monitoring and testing
Securing communications
Security measures
TLS
- Domain validation for TLS certificates
- Enabling HSTS through Fastly
- Forcing a TLS redirect
- Managing domains on TLS certificates
- Serving HTTPS traffic using certificates you manage
- Serving HTTPS traffic using Fastly-managed certificates
- Setting up free TLS
- TLS key and certificate replacement
- TLS termination
Web Application Firewall
Logging endpoints
- Log streaming: Amazon S3
- Log streaming: Microsoft Azure Blob Storage
- Log streaming: Cloud Files
- Log streaming: Datadog
- Log streaming: DigitalOcean Spaces
- Log streaming: Elasticsearch
- Log streaming: FTP
- Log streaming: Google BigQuery
- Log streaming: Google Cloud Storage
- Log streaming: Honeycomb
- Log streaming: Kafka
- Log streaming: Log Shuttle
- Log streaming: LogDNA
- Log streaming: Logentries
- Log streaming: Loggly
- Log streaming: Heroku's Logplex
- Log streaming: OpenStack
- Log streaming: Papertrail
- Log streaming: Scalyr
- Log streaming: SFTP
- Log streaming: Splunk
- Log streaming: Sumo Logic
- Log streaming: Syslog
Non-Fastly services
Streaming logs
Debugging techniques
Common errors
Account management
Billing
User access and control
Enabling HSTS through Fastly
Last updated July 19, 2019
The HTTP Strict Transport Security (HSTS) security enhancement specification provides a way to force modern browsers to communicate only via the Transport Layer Security (TLS) protocol. Once enabled, HSTS will force the browser to redirect (typically with a status code 307) to the HTTPS URL.
NOTE: HSTS only takes effect after a site has been visited on a trusted HTTPS connection. It doesn't replace the need to have redirects from your HTTP site.
Prerequisites
These instructions assume that you've set up TLS service with Fastly.
Forcing TLS and enabling HSTS
To force TLS and enable HSTS, follow these steps.
NOTE: Services activated using a previous version of the Force TLS controls may temporarily display an additional, older testing duration. Once you select the recommended new testing duration, this older option will disappear.
- Log in to the Fastly web interface and click the Configure link.
- From the service menu, select the appropriate service.
- Click the Edit configuration button and then select Clone active. The Domains page appears.
- Click the Settings link. The Settings page appears.
-
Click the Force TLS and enable HSTS switch to force TLS and enable HSTS for the service.
The request setting for forcing TLS and the header for enabling HSTS will automatically be created for you.
- Click the Activate button to deploy your configuration changes.
WARNING: You may experience problems if you enable this setting along with the override host setting. Instead of enabling the override host setting, create a new request setting and specify the override host in the advanced options.
Manually enabling HSTS
If you'd like configure additional HSTS options, you'll need to manually enable HSTS by adding a new header as follows.
NOTE: If you followed the instructions in the previous section, click the Force TLS and enable HSTS switch to remove the request setting and header that were automatically created.
- Follow the instructions in forcing a TLS redirect to force unencrypted requests over to TLS.
- Click the Content link. The Content page appears.
-
Click the Create header button to create a new header. The Create a header page appears.
- Fill out the Create a header fields as follows:
- In the Name field, type a human-readable name, such as
HSTS
. This name is displayed in the Fastly web interface. - From the Type menu, select Response, and from the Action menu select Set.
- In the Destination field, type
http.Strict-Transport-Security
. - In the Source field, type
"max-age=<max age in seconds>"
. For example,"max-age=31536000"
. As described below,max-age
is required and two additional HSTS options can be specified. - Leave the Ignore if set menu and the Priority field set to their defaults (or set them as appropriate for your service).
- In the Name field, type a human-readable name, such as
- Click the Create button.
- Click the Activate button to deploy your configuration changes.
HSTS options
If you manually configured the HSTS header, you can specify additional HSTS options.
HSTS requires the max-age directive be set in order to function properly. It specifies how long in seconds to remember that the current domain should only be contacted over HTTPS. The example shown above sets max-age
to one year (31536000 seconds = 1 year). You may want to experiment using a smaller value than what is shown.
Two additional options can be specified with the HSTS response header:
-
includeSubdomains
- This token applies HSTS to all of your site's subdomains. Before you include it, be certain none of your subdomains require functionality on HTTP in a browser. Ensure your TLS certificate is a wildcard or has coverage for all subdomain possibilities.IMPORTANT: All subdomains will be unreachable on HTTP by browsers that have seen the HSTS header once
includeSubdomains
is enabled. -
preload
- This token allows you to submit your domain for inclusion in a preloaded HSTS list that is built into several major browsers. Although the token is not part of the HSTS specification, including it in the header is a prerequisite for submitting to this preloaded list.WARNING: Don't request browser preload inclusion unless you're sure that you can support HTTPS for the long term. Inclusion in the HSTS Preload List cannot be undone easily. See https://hstspreload.org/ for submission instructions and more information.
Combining all of these options together in the Source field would look like this:
"Strict-Transport-Security: max-age=<max age in seconds>; includeSubDomains; preload"
To disable HSTS for whatever reason, simply set the max-age
to 0
on an HTTPS connection.
Additional reading
- RFC 6797, which describes the HSTS specification
- the Wikipedia description of HSTS, including the currently known limitations and a browser support list
- the OWASP.org explanation of HSTS, including descriptions of the threats it addresses
- the Chromium Projects description of HSTS and preloading HSTS sites