Parameter:
HTTPHSTSMaxAgeShort description:
max-age value for the HSTS (Strict-Transport-Security) header – forces browsers to use HTTPS exclusively for the configured period.Profile
Parameter | HTTPHSTSMaxAge |
Category | Security / TLS |
Component | Server |
Available since | 14.5 |
Supported versions | 14.5, 14.5.1 |
GUI equivalent | Web Site / Internet Site document (HSTS) |
Possible values | Seconds (recommended 31536000 = 1 year); 0 = HSTS disabled |
Description
With the HSTS header (
Strict-Transport-Security: max-age=...), the server tells the browser that all future requests for this domain must only be made over HTTPS – even if a user types http://. This prevents downgrade attacks on open networks.Important: before setting this, HTTPS must be guaranteed to work on all vhosts – otherwise users lock themselves out.
Example configuration
HTTPHSTSMaxAge=31536000
Notes & pitfalls
- Value in seconds.
- Before the first rollout, test with a short
max-age(e.g. 300), then raise it.
- For subdomain coverage, additionally set
HTTPHSTSIncludeSubDomains=1.
- Pairs with
WebSSO_Force_HTTPS,HTTPDisable_HSTS_Preload.
- The change takes effect after a restart of the HTTP task (
tell http restart).