You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/application-gateway/hsts-http-headers-portal.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,25 +1,25 @@
1
1
---
2
2
title: Use header rewrite to add HSTS header in portal - Azure Application Gateway
3
-
description: Learn how to use the Azure portal to configure an Azure Application Gateway to rewrite the HTTP header in the requests and responses passing through the gateway
3
+
description: Learn how to use the Azure portal to configure an Azure Application Gateway with HSTS Policy
This article describes how to use the Azure portal to configure an [Application Gateway v2 SKU](./application-gateway-autoscaling-zone-redundant.md)instance to rewrite HSTS headers to better secure traffic to your application through HSTS policy.
14
+
This article describes how to use the [Header Rewrite](./rewrite-http-headers-url.md) in [Application Gateway v2 SKU](./application-gateway-autoscaling-zone-redundant.md) to add HTTP Strict-Transport-Security (HSTS) response header to better secure traffic through Application Gateway.
15
15
16
-
HSTS policy helps protect your sites against man-in-the-middle attacks. When redirecting HTTP traffic to HTTPS, a man-in-the-middle attack can incercept the initial HTTP request and exploit visitors through the non-encrypted version of the site. Adding the HTTP Strict Transport Security header ensures that a user will always connect with HTTPS instead of HTTP.
16
+
HSTS policy helps protect or minimize your sites against man-in-the-middle, cookie-hijacking, and protocol downgrade attacks. After a client has established the first successful HTTPS connection with your HSTS-enabled website, HSTS header ensures going forward the client can access only through HTTPS.
17
17
18
18
If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
19
19
20
20
## Before you begin
21
21
22
-
You need to have an Application Gateway v2 SKU instance to complete the steps in this article. Rewriting headers isn't supported in the v1 SKU. If you don't have the v2 SKU, create an [Application Gateway v2 SKU](./tutorial-autoscale-ps.md)instance before you begin.
22
+
You need to have an Application Gateway v2 SKU deployment to complete the steps in this article. Rewriting headers isn't supported in the v1 SKU. If you don't have the v2 SKU, create an [Application Gateway v2 SKU](./tutorial-autoscale-ps.md)deployment before you begin.
23
23
24
24
## Sign in to Azure
25
25
@@ -71,9 +71,9 @@ In this example, we will add the Strict Transport Security (STS) response header
71
71
72
72
6. Add an action to rewrite the response header:
73
73
74
-
- In the **Action type** list, select **Set**.
74
+
- In the **Rewrite type** list, select **Response Header**.
75
75
76
-
- In the **Header type** list, select **Response**.
76
+
- In the **Action type** list, select **Set**.
77
77
78
78
- Under **Header name**, select **Common header**.
79
79
@@ -93,7 +93,7 @@ In this example, we will add the Strict Transport Security (STS) response header
93
93
94
94
- In order to maximize security, you must show HSTS policy as soon as possible when users begin an HTTPS session. In order to enforce HTTPS for a given domain, the browser only needs to observe the STS header once. Hence, it should be added to home pages and critical pages of a site. However, that is not sufficient, it is best practice to cover as much of the URL space as possible and prioritize non-cacheable content.
95
95
96
-
- In this example, the response header StrictTransportSecurity is set to `max-age=31536000; includeSubdomains; preload`. However, users can also set the header to equal `max-age=31536000; includeSubdomains`, removing the preload. Preloading helps strengthen HSTS by ensuring clients always access the site using HTTPS, even if it is their first time accessing it. You must submit your domain and subdomains to https://hstspreload.org/ in order to ensure that users will never access the site using HTTP. Although the preload list is hosted by Google, all major browsers use this list.
96
+
- In this example, the response header Strict-Transport-Security is set to `max-age=31536000; includeSubdomains; preload`. However, users can also set the header to equal `max-age=31536000; includeSubdomains`, removing the preload. Preloading helps strengthen HSTS by ensuring clients always access the site using HTTPS, even if it is their first time accessing it. You must submit your domain and subdomains to https://hstspreload.org/ in order to ensure that users will never access the site using HTTP. Although the preload list is hosted by Google, all major browsers use this list.
97
97
98
98
- HSTS Policy will not prevent attacks against TLS itself or attacks on the servers.
0 commit comments