Enable HSTS in Akamai

Security, WWW 1 Minute

What is HSTS? It stands for HTTP Strict Transport Security. Simply speaking, HSTS is a method that allows the browser to do http to https redirect.

Why use HSTS? Security! As explained above, the http traffics only stay inside the machine, so it reduces the risk of exposing sensitive information in plain text to the Internet.

To enable HSTS in Akamai. There are two things need to be done.

First, enable http to https redirect.

Screen Shot 2017-11-13 at 11.00.05 AM.png

Second, modify the outgoing response header to add the Strict-Transport-Security header, and set its max-age=2592000. max-age is counted in seconds, so 2592000 is 30 days. One year/ 365 days would be 31536000 (the longer the safer).

Screen Shot 2017-11-13 at 10.59.33 AM.png

Let’s see the difference:

Before the change,  the redirect code is 301

Screen Shot 2017-11-13 at 10.57.50 AM.png

After the change, the redirect code is 307. What does 307 mean? 

Screen Shot 2017-11-13 at 11.07.01 AM.png

Screen Shot 2017-11-13 at 11.07.22 AM.png

Screen Shot 2017-11-13 at 11.12.46 AM.png

In my example, I use Chrome. Chrome does a fake 307 redirect. To delete the HSTS setting for the site, you can go to chrome://net-internals/#hsts

Screen Shot 2017-11-13 at 11.06.22 AM.png

Published by Jackie Chen

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s