Configure support for HTTP strict transport security (HSTS) 编辑

Citrix ADC appliances support HTTP strict transport security (HSTS) as an in-built option in SSL profiles and SSL virtual servers. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client. That is, the site can be accessed only by using HTTPS. Support for HSTS is required for A+ certification from SSL Labs.

Enable HSTS in an SSL front-end profile or on an SSL virtual server. If you enable SSL profiles, then you must enable HSTS on an SSL profile instead of enabling it on an SSL virtual server. By setting the maximum age header, you specify that HSTS is in force for that duration for that client. You can also specify whether subdomains must be included. For example, you can specify that subdomains for www.example.com, such as www.abc.example.com and www.xyx.example.com, can be accessed only by using HTTPS by setting the IncludeSubdomains parameter to YES.

If you access any websites that support HSTS, the response header from the server contains an entry similar to the following:

The client stores this information for the time specified in the max-age parameter. For subsequent requests to that website, the client checks its memory for an HSTS entry. If an entry is found, it accesses that website only by using HTTPS.

You can configure HSTS at the time of creating an SSL profile or an SSL virtual server by using the add command. You can also configure HSTS on an existing SSL profile or SSL virtual server by modifying it using the set command.

Configure HSTS by using the CLI

At the command prompt, type:

add ssl vserver <vServerName> -maxage <positive_integer> -IncludeSubdomains ( YES | NO)
set ssl vserver <vServerName> -HSTS ( ENABLED | DISABLED )
<!--NeedCopy-->