# HTTP Strict Transport (HSTS) Protection

HTTP Strict Transport Security (HSTS) instructs browsers to connect to your domain **only over HTTPS** for a defined period of time. When enabled, the CDN adds the `Strict-Transport-Security` header to HTTPS responses, preventing protocol downgrade attacks and reducing the risk of session or cookie interception.

HSTS can also extend enforcement to subdomains and optionally request inclusion in browser preload lists.

### How HSTS Protection Works

You can configure X-CDN Header in the [Medianova Control Panel](https://cloud.medianova.com) or via [API](https://clients.medianova.com/api-documentation/performance-cdn/headers#put-api-v1-cdn-organization_uuid-resource-resource_uuid-4)

When HSTS Protection is enabled:

* The CDN adds a `Strict-Transport-Security` header to HTTPS responses.
* Browsers cache the policy for the duration specified in the `max-age` parameter.
* HTTP requests are redirected to HTTPS before the HSTS header is evaluated.
* Optional parameters allow extending enforcement to subdomains and requesting preload inclusion.
* The policy remains active in the browser until the max-age period expires.

<figure><img src="https://542970813-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtK7oIwmhUHdEJcaH4Hx8%2Fuploads%2FLNa7sJaI1hdYgA85sVUD%2Fimage.png?alt=media&#x26;token=5008c673-51ac-4897-9e17-c201a845c05a" alt=""><figcaption><p>HSTS Protection configuration options in the Headers tab</p></figcaption></figure>

#### HSTS Response Header Format

Depending on your configuration, the header may include:

```
Strict-Transport-Security: max-age=<seconds>
Strict-Transport-Security: max-age=<seconds>; includeSubDomains
Strict-Transport-Security: max-age=<seconds>; preload
Strict-Transport-Security: max-age=<seconds>; includeSubDomains; preload
```

### Configuration Options

#### Max Age (Seconds)

Defines how long the browser must enforce HTTPS for your domain.\
Common values:

* `31536000` (1 year)
* `63072000` (2 years)

#### Include Subdomains

When enabled, HSTS applies to **all subdomains**, not only the primary domain.

#### Preload

Requests inclusion in browser preload lists.\
(Preload requires `max-age ≥ 31536000` and `includeSubDomains` to be enabled.)

### Use Cases

* Enforce HTTPS-only access for compliance or security policies.
* Reduce risk of downgrade/MiTM attacks.
* Strengthen browser-side enforcement for high-value applications.
* Ensure all subdomains—including those without valid HTTP → HTTPS redirects—are protected.

### Notes

* HSTS applies only to **HTTPS responses**; the header is not sent over HTTP.
* Incorrect configuration may block HTTP fallback paths if subdomains or legacy systems depend on them.
* Preload inclusion requires submitting your domain to the global HSTS preload list.
* Changing the HSTS max-age does not immediately remove the policy from browsers; they follow previously cached durations.