Product Documentation

Configure support for HTTP strict transport security (HSTS)

Citrix ADC appliances support HTTP strict transport security (HSTS) as an inbuilt option in SSL profiles and SSL virtual servers. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client. That is, the site can be accessed only by using HTTPS. Support for HSTS is required for A+ certification from SSL Labs.

You can enable HSTS in an SSL front-end profile or on an SSL virtual server. If you enable SSL profiles, then you should enable HSTS on an SSL profile instead of enabling it on an SSL virtual server. By setting the maximum age header, you specify that HSTS is in force for that duration for that client. You can also specify whether subdomains should be included. For example, you can specify that subdomains for www.example.com, such as www.abc.example.com and www.xyx.example.com, can be accessed only by using HTTPS by setting the IncludeSubdomains parameter to YES.

If you access any web sites that support HSTS, the response header from the server contains an entry similar to the following:

HSTS response header

The client stores this information for the time specified in the max-age parameter. For subsequent requests to that web site, the client checks its memory for an HSTS entry. If an entry is found, it accesses that web site only by using HTTPS.

You can configure HSTS at the time of creating an SSL profile or an SSL virtual server by using the add command. You can also configure HSTS on an existing SSL profile or SSL virtual server by modifying it using the set command.

Configure HSTS by using the CLI

At the command prompt, type:

add ssl vserver <vServerName> -HSTS ( ENABLED | DISABLED ) -maxage <positive_integer> -IncludeSubdomains ( YES | NO)

OR

add ssl profile <name> -HSTS ( ENABLED | DISABLED ) -maxage <positive_integer> -IncludeSubdomains ( YES | NO )

**Arguments**

**HSTS**

         State of HTTP Strict Transport Security (HSTS) on an SSL virtual server or SSL profile. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client.

          Possible values: ENABLED, DISABLED

          Default: DISABLED

**maxage**

          Set the maximum time, in seconds, in the strict transport security (STS) header during which the client must send only HTTPS requests to the server.

          Default: 0

          Minimum: 0

          Maximum: 4294967294

**IncludeSubdomains**

         Enable HSTS for subdomains. If set to Yes, a client must send only HTTPS requests for subdomains.

          Possible values: YES, NO

          Default: NO

In the following examples, the client must access the web site and its subdomains for 157680000 seconds only by using HTTPS.

add ssl vserver VS-SSL –HSTS ENABLED –maxage 157680000 –IncludeSubdomain YES
add sslProfile hstsprofile –HSTS ENABLED –maxage 157680000 –IncludeSubdomain YES

Configure support for HTTP strict transport security (HSTS)