Enabling HSTS through Fastly

The HTTP Strict Transport Security (HSTS) security enhancement specification provides a way to force modern browsers to communicate only via the Transport Layer Security (TLS) protocol. Once enabled, it will force the browser to redirect (typically with a status code 307) to the HTTPS URL.

Enabling HSTS

To enable HSTS, add a new header as follows:

  1. Log in to the Fastly application.
  2. Click the configure tab to access the control panel.

    the configure tab

  3. Select the appropriate service from the Service menu.

  4. Click the blue Configure button to the right of the service name.

  5. Click the Content section.

  6. In the Headers area, click the New button to create a new header. The New Header window appears.

    new header window with HSTS settings

  7. Fill out the New Header window as follows:

    • In the Name field, type an appropriate name, such as HSTS.
    • From the Type/Action menus, select Response and Set.
    • In the Destination field type http.Strict-Transport-Security.
    • In the Source field type "max-age=<max age in seconds>". For example, "max-age=31536000". As described below, max-age is required and two additional HSTS options can be specified.
    • Leave the Ignore if Set menu and the Priority field set to their defaults (or set them as appropriate for your service).
  8. Click the Create button. A new header appears in the Headers area of the Content section.

HSTS options

HSTS requires the max-age directive be set in order to function properly. It specifies how long in seconds to remember that the current domain should only be contacted over HTTPS. The example shown above sets max-age to one year (31536000 seconds = 1 year). You may want to experiment using a smaller value than what is shown.

Two additional options can be specified with the HSTS response header:

Combining all of these options together in the Source field would look like this:

"Strict-Transport-Security: max-age=<max age in seconds>; includeSubDomains; preload"

To disable HSTS for whatever reason, simply set the max-age to 0 on an HTTPS connection.

The HSTS Preload List is managed by a third party, not by Fastly. See https://hstspreload.appspot.com/ for more information.

Additional reading

Back to Top