Enabling HSTS through Fastly

      Last updated July 19, 2019

    The HTTP Strict Transport Security (HSTS) security enhancement specification provides a way to force modern browsers to communicate only via the Transport Layer Security (TLS) protocol. Once enabled, HSTS will force the browser to redirect (typically with a status code 307) to the HTTPS URL.


    These instructions assume that you've set up TLS service with Fastly.

    Forcing TLS and enabling HSTS

    To force TLS and enable HSTS, follow these steps.

    1. Log in to the Fastly web interface and click the Configure link.
    2. From the service menu, select the appropriate service.
    3. Click the Edit configuration button and then select Clone active. The Domains page appears.
    4. Click the Settings link. The Settings page appears.
    5. Click the Force TLS and enable HSTS switch to force TLS and enable HSTS for the service.

      new HSTS settings

      The request setting for forcing TLS and the header for enabling HSTS will automatically be created for you.

    6. Click the Activate button to deploy your configuration changes.

    Manually enabling HSTS

    If you'd like configure additional HSTS options, you'll need to manually enable HSTS by adding a new header as follows.

    1. Follow the instructions in forcing a TLS redirect to force unencrypted requests over to TLS.
    2. Click the Content link. The Content page appears.
    3. Click the Create header button to create a new header. The Create a header page appears.

      new header window with HSTS settings

    4. Fill out the Create a header fields as follows:
      • In the Name field, type a human-readable name, such as HSTS. This name is displayed in the Fastly web interface.
      • From the Type menu, select Response, and from the Action menu select Set.
      • In the Destination field, type http.Strict-Transport-Security.
      • In the Source field, type "max-age=<max age in seconds>". For example, "max-age=31536000". As described below, max-age is required and two additional HSTS options can be specified.
      • Leave the Ignore if set menu and the Priority field set to their defaults (or set them as appropriate for your service).
    5. Click the Create button.
    6. Click the Activate button to deploy your configuration changes.

    HSTS options

    If you manually configured the HSTS header, you can specify additional HSTS options.

    HSTS requires the max-age directive be set in order to function properly. It specifies how long in seconds to remember that the current domain should only be contacted over HTTPS. The example shown above sets max-age to one year (31536000 seconds = 1 year). You may want to experiment using a smaller value than what is shown.

    Two additional options can be specified with the HSTS response header:

    Combining all of these options together in the Source field would look like this:

    "Strict-Transport-Security: max-age=<max age in seconds>; includeSubDomains; preload"

    To disable HSTS for whatever reason, simply set the max-age to 0 on an HTTPS connection.

    The HSTS Preload List is managed by a third party, not by Fastly. See https://hstspreload.org/ for more information.

    Additional reading

    Back to Top