How to use HSTS with MaxCDN
September 11, 2014 | Dmitriy Akulov
HSTS stands for HTTP Strict Transport Security which is a security feature supported by most major browsers.
How HSTS Works
What it does is force the browser to use HTTPS for connecting to a particular website instead of HTTP. Even if a user types in a http:// URL the browser will automatically correct the URL and will connect to https://.
This feature can be enabled on the server side by the owner of the website itself and what it requires is to add the following HTTP header:
Strict-Transport-Security: max-age=expireTime [; includeSubdomains]
max-age works exactly like it does in caching. It specifies for how long the browser will assume that the website is required to be opened via HTTPS.
The point of this is to make sure that even you try to access a website using a compromised network nothing a hacker does will make your browser use the unencrypted HTTP protocol and see your personal information. So as long you have visited the real website over HTTPS once and your browser read the HSTS header you are not in danger.
The includeSubdomains works the same way but it also forces all subdomains of a website to be loaded via HTTPS.
An example header would be:
Strict-Transport-Security: max-age=631138519; includeSubdomains
This means that for 20 years, no matter where you are the browser will force you to use HTTPS to connect to a website and all of its subdomains.
HSTS Performance Benefits
A regular HTTP to HTTPS redirect can take up to 500ms depending on the load and speed of a server. This is a lot and can be a major problem when you want the absolute best performance.
By using the HSTS header the redirection will be performed by the browser itself, removing completely the initial HTTP connection and redirect to HTTPS.
HSTS on MaxCDN Edges
If you are using MaxCDN and you wish to enable this on our Edges you can do it via EdgeRules.
- Use our recipes to create an HTTP to HTTPS redirect
The reason we need an HTTPS redirect here is because HSTS won’t work if its loaded with HTTP. The browser will only listen to the header if the connection was established via HTTPS. So for the first time the user connects to the website he will be redirected using traditional ways. And only after that HSTS will have any effect.
- In the created rule add a new directive and select “ADD HEADER” from the dropdown. Type in the header without the semicolon like this:
The result will be this:
- Save the rule and you are done!