By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

HTTP Strict Transport Security not set

0

Is the HSTS policy controlled by ALB? I don't see any option. How to fix this? I'm not using API gateway.

Topics
ComputeNetworking & Content DeliveryAWS Well-Architected Framework
Tags
Website ProvisioningElastic Load BalancingSecurity
Language
English
rePost-User-olmec
asked a year ago2597 views
1 Answer
0

Hello,

I would suggest to introduce CloudFront and put the LB behind it. CloudFront allows you to set that header https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-http-security-headers/

Other benefits from CF is edge locations + low latency bare backbone AWS network, caching and last but not least could help in case of you are under DDoS attack.

profile picture
Todor Todorov
answered a year ago
  • rePost-User-olmec
    a year ago

    As per the definition of HSTS, "HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP." I already redirect http request to https with 301 code in the ELB hence http is literally not possible. Isn't that suffice?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content