Strict Transport Security Header Settings
- Last Updated: November 7, 2023
- 2 minute read
- LoadMaster
- LoadMaster GA
- Documentation
HTTP Strict Transport Security (HSTS) allows a server (in this case LMOS) to set a header in client responses that instructs the client to force all subsequent connections to use HTTPS and to disregard any attempt to load any resource in that domain (and possibly its subdomains) over HTTP.
The Strict-Transport-Security header has various associated settings, none of which were exposed in the UI in previous releases. With this release, all settings are available through both the API and the UI. In the UI, they are exposed as follows:
- The default maximum age of all Strict-Transport-Security headers set by LoadMaster is 31536000 seconds (365 days/1 year). This global value can be modified on the System Configuration > Miscellaneous Options > L7 Configuration page by setting L7 Security Header Age to the desired number of seconds. Two years (63072000 seconds) is a commonly used value; the largest value that can be set is three years (94608000 seconds).
- The content of the Strict-Transport-Security
header can be customized for each Virtual Service in the SSL
Properties section of the VS configuration:
- Don't add the Strict Transport Security Header: This is the default value.
- Add the Strict Transport Security Header -- no subdomains: Adds the header only to client responses in the domain, not for any subdomains.
- Add the Strict Transport Security Header -- include subdomains: Adds the header to client responses in the domain and all subdomains.
- Add the Strict Transport Security Header -- no subdomains + preload: Adds the header only to client responses in the domain, not for any subdomains; allow the use of HSTS preloading, if supported by the client browser.
- Add the Strict Transport Security Header -- include subdomains + preload: Adds the header to client responses in the domain and all subdomains; allow the use of HSTS preloading, if supported by the client browser.
See the following links for more information and guidelines on setting the HSTS header; also see this explanation of HSTS preloading.