The HTTP Strict Transport Security (HSTS) HTTP response header can be used by web servers to indicate that web clients should only communicate with them over HTTPS and never over HTTP. This can be used to help prevent web browsers from being tricked into communicating over unencrypted HTTP by attackers, but it will also prevent common practices such as the use of "mixed content" pages where some resources are served over HTTPS and some over HTTP and performing authentication over HTTPS and then downgrading to HTTP.

Starting in Domino 9.0.1 FP3 IF2, when a Domino server is configured for SSL/TLS and the http port is disabled or set to "redirect only" the HSTS header will be sent by with a one week default setting. If the Domino server is not configured for SSL/TLS or the http port is active, the HSTS header will be sent with the max-age parameter set to zero, which disables the HSTS functionality.

• HTTP_HSTS_MAX_AGE allows the max-age header parameter to be changed, the default setting is 604800 seconds, 1 Week
• HTTP_HSTS_INCLUDE_SUBDOMAINS=1 indicates the "includeSubDomains" parameter should be added to the "Strict-Transport-Security" http header. This is off by default.
• HTTP_ENABLE_HSTS=0 can be used to disable HSTS and not send the Strict-Transport-Security header.

In older versions of Domino, Domino administrators can use Internet Site documents to configure the Domino http task to set this header and tell compliant web browsers to only communicate with them over SSL/TLS. This header must only be configured if plaintext http has been disabled or set to "redirect only" and SSL/TLS is enabled.

Sample Web Site Rule adding the "Strict-Transport-Security" header with a maximum age of one year:



If you need to re-enable plaintext HTTP, replace this header's value with max-age=0 in order to tell compliant web browsers to communicate with your web site over HTTP once again.