search
medianova.comSupportLog in

HTTP Strict Transport (HSTS) Protection

Learn how HSTS Protection enforces HTTPS-only access for your CDN Resource.

HTTP Strict Transport Security (HSTS) instructs browsers to connect to your domain only over HTTPS for a defined period of time. When enabled, the CDN adds the Strict-Transport-Security header to HTTPS responses, preventing protocol downgrade attacks and reducing the risk of session or cookie interception.

HSTS can also extend enforcement to subdomains and optionally request inclusion in browser preload lists.

hashtag
How HSTS Protection Works

You can configure X-CDN Header in the Medianova Control Panelarrow-up-right or via APIarrow-up-right

When HSTS Protection is enabled:

  • The CDN adds a Strict-Transport-Security header to HTTPS responses.

  • Browsers cache the policy for the duration specified in the max-age parameter.

  • HTTP requests are redirected to HTTPS before the HSTS header is evaluated.

  • Optional parameters allow extending enforcement to subdomains and requesting preload inclusion.

  • The policy remains active in the browser until the max-age period expires.

HSTS Protection configuration options in the Headers tab

hashtag
HSTS Response Header Format

Depending on your configuration, the header may include:

hashtag
Configuration Options

hashtag
Max Age (Seconds)

Defines how long the browser must enforce HTTPS for your domain. Common values:

  • 31536000 (1 year)

  • 63072000 (2 years)

hashtag
Include Subdomains

When enabled, HSTS applies to all subdomains, not only the primary domain.

hashtag
Preload

Requests inclusion in browser preload lists. (Preload requires max-age ≥ 31536000 and includeSubDomains to be enabled.)

hashtag
Use Cases

  • Enforce HTTPS-only access for compliance or security policies.

  • Reduce risk of downgrade/MiTM attacks.

  • Strengthen browser-side enforcement for high-value applications.

  • Ensure all subdomains—including those without valid HTTP → HTTPS redirects—are protected.

hashtag
Notes

  • HSTS applies only to HTTPS responses; the header is not sent over HTTP.

  • Incorrect configuration may block HTTP fallback paths if subdomains or legacy systems depend on them.

  • Preload inclusion requires submitting your domain to the global HSTS preload list.

  • Changing the HSTS max-age does not immediately remove the policy from browsers; they follow previously cached durations.

PreviousOrigin Host HeaderNextX-Frame Options

Last updated

Was this helpful?