The HSTS (HTTP Strict Transport Security) policy mechanism is fully supported by Incapsula.
It can be enabled by going to: Site > Settings > General > Site settings > SSL Support, and checking the "Enable" checkbox.
When you plan to use HSTS for your website, it is important to take notice of the below configuration options, as they might have implications on its implementation.
The below options are ordered by recommendation (the first one is the most recommended).
Option I: HSTS enabled only on Incapsula (recommended)
When enabling HSTS only on Incapsula's end, all you need to do is configure it in accordance with your website requirements, press "Save" and you are done.
From now on, Incapsula will always serve the Strict-Transport-Security header to any clients connecting to your website.
Option II: HSTS enabled only on the origin server
When you choose to enable HSTS only on your origin server, it is important to note that Strict-Transport-Security header will not always be served to clients, when the Incapsula Caching mechanism is on.
In order to resolve this issue, all you need to do is add the Strict-Transport-Security header to the Cache Headers table, under the Performance tab (located at the bottom of the page).
Option III: HSTS enabled on both Incapsula and the origin server (least recommended)
When HSTS is enabled on both Incapsula and the origin server, the Strict-Transport-Security header will always be served to clients.
However, it will be served according to the below scenarios (which is essentially a combination of the above options):
- When the header will not be served from cache, it will be served directly from the origin server.
- When the header will be served from cache, it will be served directly from Incapsula.
As you might imagine from the above behavior, when HSTS is not implemented exactly the same on both Incapsula and the origin server (e.g. the max-age is different on both ends, the pre-load directive is missing on the origin server while it exists on Incapsula), unexpected behavior might occur due to this inconsistency.
Important note: Make sure HSTS parameters are implemented exactly the same on both Incapsula and the origin server.