Sana Commerce 9.2
Your connector

HTTP Strict Transport Security


Applies to: Sana Commerce 9.2.1 and higher

As a part of secure web store communications, Sana supports HTTP Strict Transport Security (HSTS). This is the header which is added to the Web server responses to disallow insecure HTTP connection for the entire web store domain, when a Sana web store is running over full HTTPS.

When Sana is running over full HTTPS, it sends HSTS header in all responses to the Web browser which come via HTTPS connection. Once the Web browser receives this header, it will prevent any communications from being sent over HTTP to the specified domain, and will instead send all communications over HTTPS.


HSTS header settings are used only when Sana is running over full HTTPS. When Sana is running over partial HTTPS or if the insecure HTTP connection is used, the HSTS header will not be sent by Sana.

When you enable full HTTPS, Sana will start sending HSTS header automatically with the default values.

This is how HSTS header looks like when it is sent to the Web browser:

Strict-Transport-Security: max-age=31536000; includeSubDomains

If the "preload" directive is enabled, the HSTS header will look like this:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

You can change the HSTS header settings in the "Web.config" file of the Sana Commerce Frontend.

<ssl mode="Full" partialConfigPath="partial-ssl.config" bypassWarning="true" hstsMaxAge="31536000" hstsIncludeSubDomains="true" hstsPreload="false" />

The table below provides description of the attributes which are used to set up HSTS header behavior.

Attribute Default Value Description
hstsMaxAge 31536000 Sets value for the "max-age" directive in the HSTS header. This value is in seconds. The default value is 31536000 seconds, which is equal to one year.
hstsIncludeSubDomains true Enables or disables the "includeSubDomains" directive. The default value is "true". Change it to "false", if you have sub-domains that need to be accessible via HTTP, while the main domain is accessible only via HTTPS.
hstsPreload false Enables or disables the "preload" directive. The default value is "false".

     Important: You can change this value to "true" only if you really know what you are doing, as this directive will tell the Web browser to add your web store domain to the HTTPS preload list. Sending the preload directive from your web store can have permanent consequences. Once the domain is added to the HTTPS preload list, the Web browser will not use HTTP anymore for requests to this domain. Thus, if you plan to use HTTP for your web store again in future, you must use this option cautiously.