Is HSTS supported either by ALB or WAF?

Question

I have a website that is behind ALB with WAF integration. Our vulnerability scan showed the following:

Website Does Not Implement HSTS Best Practices

**Recommendation:**
Implement HTTP Strict Transport Security (HSTS) on your web server.

I could not find a HSTS setting anywhere in the ALB attribute section nor in the WAF rules set...
Is that setting supported on ALB or WAF or does it need to be done directly on the backend server or if I put the ALB behind the CDN ( CloudFront )?

Your help is much appreciated.
Thank You

Accepted Answer

HSTS is specified on the Back-end, not on the ALB. Please refer to this [post](https://repost.aws/questions/QUObtOMsY1RmWblPg9LTaKSw/how-to-add-hsts-header-when-redirecting-traffic-in-load-balancer) for more detail.

Answer

Besides modifying ALB listener rules to redirect HTTP to HTTPS, and adding HSTS header, you can implement HSTS with CloudFront.

Steps on CloudFront include
- Modify viewer policy to [redirect from HTTP to HTTPS](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html)
- Either use the Managed Response Header Policy which includes `Strict-Transport-Security` header, e.g.. [SecurityHeadersPolicy](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-response-headers-policies.html#managed-response-headers-policies-security), or create a custom policy with STS header

Is HSTS supported either by ALB or WAF?

Relevant content