The HTTP Strict Transport Security (HSTS) feature is a security policy mechanism that helps to protect against man-in-the-middle attacks by telling web browsers that they should use only HTTPS to connect.
The header is added to all HTTP responses on port 443, specifying a lifetime of one year. Optional properties can be set by adding multi-value property hstsFlags to the locked.properties file. The following values can be set.
Property | Value |
---|---|
includeSubDomains | Applies to all subdomains of this site. |
preload | Hint to include this site in HSTS preload lists. |
Example:
hstsFlags.1=includeSubDomains
hstsFlags.2=preload
Note: These properties are not set by default because they can affect non-Horizon URLs too. Do not set unless you understand the implications.