Enabling HSTS through Fastly
Last updated September 20, 2016
The HTTP Strict Transport Security (HSTS) security enhancement specification provides a way to force modern browsers to communicate only via the Transport Layer Security (TLS) protocol. Once enabled, it will force the browser to redirect (typically with a status code 307) to the HTTPS URL.
NOTE: HSTS only takes effect after a site has been visited on a trusted HTTPS connection. It doesn't replace the need to have redirects from your HTTP site.
To enable HSTS, add a new header as follows:
- Log in to the Fastly web interface and click the Configure link.
- From the service menu, select the appropriate service.
- Click the Edit configuration button and then select Clone active. The service version page appears.
- Click the Content tab. The Content page appears.
Click the Create header button to create a new header. The Create a new header page appears.
- Fill out the Create a new header fields as follows:
- From the Type menu, select Response, and from the Action menu select Set.
- In the Destination field, type
- In the Source field, type
"max-age=<max age in seconds>". For example,
"max-age=31536000". As described below,
max-ageis required and two additional HSTS options can be specified.
- Leave the Ignore if set menu and the Priority field set to their defaults (or set them as appropriate for your service).
- In the Description field, type a human-readable name, such as
HSTS. This name is displayed in the Fastly web interface.
- Click the Create button.
- Click the Activate button to deploy your configuration changes.
HSTS requires the max-age directive be set in order to function properly. It specifies how long in seconds to remember that the current domain should only be contacted over HTTPS. The example shown above sets
max-age to one year (31536000 seconds = 1 year). You may want to experiment using a smaller value than what is shown.
Two additional options can be specified with the HSTS response header:
includeSubdomains- This token applies HSTS to all of your site's subdomains. Before you include it, be certain none of your subdomains require functionality on HTTP in a browser. Ensure your TLS certificate is a wildcard or has coverage for all subdomain possibilities.
IMPORTANT: All subdomains will be unreachable on HTTP by browsers that have seen the HSTS header once
preload- This token allows you to submit your domain for inclusion in a preloaded HSTS list that is built into several major browsers. Although the token is not part of the HSTS specification, including it in the header is a prerequisite for submitting to this preloaded list.
WARNING: Don't request browser preload inclusion unless you're sure that you can support HTTPS for the long term. Inclusion in the HSTS Preload List cannot be undone easily. See https://hstspreload.appspot.com/ for submission instructions and more information.
Combining all of these options together in the Source field would look like this:
"Strict-Transport-Security: max-age=<max age in seconds>; includeSubDomains; preload"
To disable HSTS for whatever reason, simply set the
0 on an HTTPS connection.
- RFC 6797, which describes the HSTS specification
- the Wikipedia description of HSTS, including the currently known limitations and a browser support list
- the OWASP.org explanation of HSTS, including descriptions of the threats it addresses
- the Chromium Projects description of HSTS and preloading HSTS sites
Back to Top