Loading

HTTP Strict Transport Security (HSTS) in B2C Commerce

Udgivelsesdato: Jan 14, 2026
Beskrivelse
HTTP Strict Transport Security (HSTS) secures your site by instructing web browsers to access your domain using only HTTPS. HSTS prevents attackers from using downgrade attacks against your site. For extra security, enable preload, which forces web browsers to open your site in HTTPS the first time it's requested. Read the IETF on HSTS for more information.

Web browsers check your site's HTTP header for information on HSTS. When the web browser reads a max age for HSTS, the browser doesn't check the header again until the max age has expired. Because a web browser checks the header only after the max age has passed, you can't manually disable HSTS. You can change the max age at any time, but you can update HSTS only on an HTTPS connection. Because of this, if your site contains insecure material, your changes to the max age don't apply.
Løsning

Q1: Does Business Manager support the auto renew feature of HSTS?

Yes, once the max header age expires, the browser will check to see if the header is present and if it is not, the header will be added.


Q2: Is the HSTS a per page restart of timer or per domain? For example, if we set the expiry to 5 minutes given the information you've provided and disabled the HSTS Feature Switch after 1 minute. If a user comes onto our site at 4 minutes after starting the HSTS testing, are they then locked in for the full 5-minute period until the browser polls for HSTS again, or are they locked into the 1 minute that remains on the initial setting, or since they're coming in at the 4-minute mark, and HSTS was disabled after the first minute, they'd not experience forced HTTPS?

Since the feature was disabled after 1 minute, no more headers are sent after the one minute mark. So a user coming in for the very first time at the 4 minute mark, they will not have the header set for them and this will not be applicable. If this same user however comes in during the first minute, then a max header of 5 mins is set at minute 1. Which means that the restrictions will apply until minute 6 which is when that header will expire for the end user.


Q3: If we set the expiry to 5 minutes given your information provided and leave HSTS Feature Switch enabled, would an incoming user after 4 minutes of activation have a full 5-minute period before renewal poll, or would they have the 1 minute before renewal poll?

A user coming in at 4 minutes, will have a max header set for 5 mins on the browser at the 4th minute. So the browser essentially will not check with the server again for 5 mins after this is set. The end user would have to wait until minute 9 for the header to expire and come in. It would be the full 5-minute period.


Q4: As it seems that the HSTS header does auto-renew after X amount of minutes, what is the benefit of setting the expiry time to a higher amount? Could we be okay with a 1 hour self-renewing period in case we run into issues at a future date with future site updates, so that users aren't put out by the potential for missing functionality?

The HSTS header does auto-renew via the web browser.


Q5: Is the browser receiving just a notification that all data to/from the site must be served over HTTPS for the duration set, or is the browser accepting a cached list of URLs from the domain that is expected to have HTTPS traffic?

The browser receives a header that states the max age. Until the max age has concluded, it will simply not allow the server to communicate to it via non-https. This may not be the whole page, but even any content that is insecure within a page. It will also not provide the user an option to continue after acknowledging the risks like you can do on http pages on insecure sites.

 

Scenario: Merchants enabled HSTS with max-age: 1 Day and disables HSTS 2 hours later.

Results for Merchants that use full-site HTTPS:
   For shoppers that visit the site within the 2 hours when HSTS is enabled, their browsers will only accept secure content for 24 hours.

  • After 24 hours, browsers will purge the HSTS settings automatically and the browser will no longer require HTTPS.
  • This only affects the browser that the shopper used. Other browsers will not be affected, even on the same computer.


For new shoppers that visit the site after HSTS has been disabled, their browsers will accept HTTP traffic.

Results for Merchants that use HTTP:
For Shoppers that visit the site within the 2 hours when HSTS is enabled, their browsers will only accept secure content for 24 hours.

  • Within 24 hours, the browser will not load the site or any assets that uses HTTP.
  • After 24 hours, browser will purge the HSTS settings  automatically and the shoppers will no longer require HTTPS.
  • This only affects the browser that the shopper used. Other browsers will not be affected, even on the same computer.


For new shoppers that visit the site after HSTS has been disabled, their browsers will accept HTTP traffic.

Vidensartikelnummer

000391225

 
Indlæser
Salesforce Help | Article