The HSTS (HTTP Strict Transport Security) policy mechanism is fully supported by Cloud WAF.
HSTS ensures that any attempt by visitors to use the insecure version (HTTP://) of a page will be forwarded automatically to the secure version (HTTPS://).
HSTS support is available only for sites that have SSL support.
Cloud WAF implements HSTS by adding a header to the page. For example:
Strict-Transport-Security: max-age=10886400; includeSubDomains; preload
There are three levels of restrictions for HSTS. Implementing all three restriction levels might not be appropriate for all sites. Restrictions are cumulative. Each level includes enforcement of the previous level.
|Max-Age||(TTL) The amount of time to apply HSTS in the browser before attempting to load the page using HTTP://.|
|Include sub-domains||Enforce HSTS on sub-domains. For example, a page listed on xxx.ddd.com uses resources from images.ddd.com. If HSTS for sub-domains is enabled, the images are also covered. Make sure that the site and all sub-domains support HTTPS so that HSTS does not break an internal resource when rendering the page.|
|Pre-load||The most secure way to enforce HSTS. Ensures the first request goes out in a secure tunnel since the browser already has that URL in the pre-load list. The domain needs to be listed at https://hstspreload.appspot.com/.|
To enable/disable HSTS support:
- For a specific SSL site: In the SSL Support section, under Strict-Transport-Security (HSTS), click Enable. See the above illustration.
- For all new SSL sites added to your account: See Account Settings.
When you plan to use HSTS for your website, it is important to take notice of the below configuration options, as they might have implications on its implementation.
The below options are ordered by recommendation (the first one is the most recommended).
Option I: HSTS enabled only on Cloud WAF (recommended)
When enabling HSTS only on the Cloud WAF end, all you need to do is configure it in accordance with your website requirements, press "Save" and you are done.
From now on, Cloud WAF will always serve the Strict-Transport-Security header to any clients connecting to your website.
Option II: HSTS enabled only on the origin server
When you choose to enable HSTS only on your origin server, it is important to note that Strict-Transport-Security header will not always be served to clients, when the Cloud WAF Caching mechanism is on.
In order to resolve this issue, all you need to do is add the Strict-Transport-Security header to the Cache Headers table, under the Performance tab (located at the bottom of the page).
Option III: HSTS enabled on both Cloud WAF and the origin server (not recommended)
When HSTS is enabled on both Cloud WAF and the origin server, the Strict-Transport-Security header will always be served to clients.
However, it will be served according to the below scenarios (which is essentially a combination of the above options):
- When the header will not be served from cache, it will be served directly from the origin server.
- When the header will be served from cache, it will be served directly from Cloud WAF.
As you might imagine from the above behavior, when HSTS is not implemented exactly the same on both Cloud WAF and the origin server (e.g. the max-age is different on both ends, the pre-load directive is missing on the origin server while it exists on Cloud WAF), unexpected behavior might occur due to this inconsistency.
Important note: Make sure HSTS parameters are implemented exactly the same on both Cloud WAF and the origin server.