HTTP Strict Transport (HSTS) Protection

Learn how HSTS Protection enforces HTTPS-only access for your CDN Resource.

HTTP Strict Transport Security (HSTS) instructs browsers to connect to your domain only over HTTPS for a defined period of time. When enabled, the CDN adds the Strict-Transport-Security header to HTTPS responses, preventing protocol downgrade attacks and reducing the risk of session or cookie interception.

HSTS can also extend enforcement to subdomains and optionally request inclusion in browser preload lists.

How HSTS Protection Works

You can configure X-CDN Header in the Medianova Control Panel or via API

When HSTS Protection is enabled:

The CDN adds a Strict-Transport-Security header to HTTPS responses.
Browsers cache the policy for the duration specified in the max-age parameter.
HTTP requests are redirected to HTTPS before the HSTS header is evaluated.
Optional parameters allow extending enforcement to subdomains and requesting preload inclusion.
The policy remains active in the browser until the max-age period expires.

HSTS Response Header Format

Depending on your configuration, the header may include:

Strict-Transport-Security: max-age=<seconds>
Strict-Transport-Security: max-age=<seconds>; includeSubDomains
Strict-Transport-Security: max-age=<seconds>; preload
Strict-Transport-Security: max-age=<seconds>; includeSubDomains; preload

Configuration Options

Max Age (Seconds)

Defines how long the browser must enforce HTTPS for your domain. Common values:

31536000 (1 year)
63072000 (2 years)

Include Subdomains

When enabled, HSTS applies to all subdomains, not only the primary domain.

Preload

Requests inclusion in browser preload lists. (Preload requires max-age ≥ 31536000 and includeSubDomains to be enabled.)

Use Cases

Enforce HTTPS-only access for compliance or security policies.
Reduce risk of downgrade/MiTM attacks.
Strengthen browser-side enforcement for high-value applications.
Ensure all subdomains—including those without valid HTTP → HTTPS redirects—are protected.

Notes

HSTS applies only to HTTPS responses; the header is not sent over HTTP.
Incorrect configuration may block HTTP fallback paths if subdomains or legacy systems depend on them.
Preload inclusion requires submitting your domain to the global HSTS preload list.
Changing the HSTS max-age does not immediately remove the policy from browsers; they follow previously cached durations.

PreviousOrigin Host Header NextX-Frame Options

Last updated 15 days ago

Was this helpful?