# HTTP Strict Transport (HSTS) Protection

HTTP Strict Transport Security (HSTS) instructs browsers to connect to your domain **only over HTTPS** for a defined period of time. When enabled, the CDN adds the `Strict-Transport-Security` header to HTTPS responses, preventing protocol downgrade attacks and reducing the risk of session or cookie interception.

HSTS can also extend enforcement to subdomains and optionally request inclusion in browser preload lists.

### How HSTS Protection Works

You can configure **Headers section** in the [Medianova Control Panel](https://cloud.medianova.com) or via [API](https://clients.medianova.com/api-documentation/performance-cdn/headers#put-api-v1-cdn-organization_uuid-resource-resource_uuid-4)

When HSTS Protection is enabled:

* The CDN adds a `Strict-Transport-Security` header to HTTPS responses.
* Browsers cache the policy for the duration specified in the `max-age` parameter.
* HTTP requests are redirected to HTTPS before the HSTS header is evaluated.
* Optional parameters allow extending enforcement to subdomains and requesting preload inclusion.
* The policy remains active in the browser until the max-age period expires.

<figure><img src="/files/Zyk6hpxpnUDrj2znxSjN" alt=""><figcaption><p>HSTS Protection configuration options in the Headers tab</p></figcaption></figure>

#### HSTS Response Header Format

Depending on your configuration, the header may include:

```
Strict-Transport-Security: max-age=<seconds>
Strict-Transport-Security: max-age=<seconds>; includeSubDomains
Strict-Transport-Security: max-age=<seconds>; preload
Strict-Transport-Security: max-age=<seconds>; includeSubDomains; preload
```

### Configuration Options

#### Max Age (Seconds)

Defines how long the browser must enforce HTTPS for your domain.\
Common values:

* `31536000` (1 year)
* `63072000` (2 years)

#### Include Subdomains

When enabled, HSTS applies to **all subdomains**, not only the primary domain.

#### Preload

Requests inclusion in browser preload lists.\
(Preload requires `max-age ≥ 31536000` and `includeSubDomains` to be enabled.)

### Use Cases

* Enforce HTTPS-only access for compliance or security policies.
* Reduce risk of downgrade/MiTM attacks.
* Strengthen browser-side enforcement for high-value applications.
* Ensure all subdomains—including those without valid HTTP → HTTPS redirects—are protected.

### Notes

* HSTS applies only to **HTTPS responses**; the header is not sent over HTTP.
* Incorrect configuration may block HTTP fallback paths if subdomains or legacy systems depend on them.
* Preload inclusion requires submitting your domain to the global HSTS preload list.
* Changing the HSTS max-age does not immediately remove the policy from browsers; they follow previously cached durations.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://clients.medianova.com/products/performance-cdn/static-content-delivery/advanced-configuration/headers/http-strict-transport-hsts-protection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.