Enable HSTS
HTTP Strict Transport Security (HSTS) is web security policy to protect websites against protocol downgrade attacks and cookie highjacking.
-
HSTS can be enabled in the administration interface without "HTTP -> HTTPS redirect" enabled.
-
HSTS is available only when HTTPS is enabled.
-
EFT sends HSTS headers when the client connects (if HSTS is enabled).
-
HSTS is enabled by default on new installs when HTTPS is enabled.
-
HSTS is enabled by default on upgrades if HTTPS was enabled before the upgrade.
-
HSTS is part of the HTTP/S module.
To enable HSTS
-
In the administration interface, connect to EFT and click the Server tab.
-
On the Server tab, click the Site you want to configure.
-
In the right pane, click the Connections tab.
-
Select the Enable HSTS check box.
-
Click Apply to save the changes on EFT.