HSTS stands for HTTP Strict Transport Security. It's a method used by websites to declare that they should only be accessed using a secure connection (HTTPS). If a website declares an HSTS policy by using a special response header, the browser must refuse all (insecure) HTTP connections and prevent users from accepting insecure SSL certificates. HSTS is currently supported by most major browsers.

What Potential Problems does it Solve?

  • User bookmarks or manually types http://example.com/ and is subject to a man-in-the-middle attacker. HSTS automatically redirects the HTTP requests to HTTPS for the target domain.
  • A web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP. HSTS automatically redirects HTTP requests to HTTPS for the target domain.
  • A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate. HSTS does not allow a user to override the invalid certificate message.

Setting HSTS up in Mapp Engage

HSTS is used by default on all Mapp-managed domains. You can also set it up for your own domain by requesting the StrictTransportSecurity feature from your Customer Sucess Manager. In this case, the following response header would be set for your domain and all subdomains:

Strict-Transport-Security: max-age=63072000; includeSubDomains

Once set, this cannot be undone! Please check carefully that the domain and all sub-domains have a valid HTTPS certificate.