Many customers wish to enhance the security of their web presence and ensure they comply with organizational requirements related to IT security and third-party audits.
All EasyRedir URL redirector responses include the following security related HTTP headers:
- X-Content-Type-Options: nosniff
On supported plans customers may also configure additional security related settings on a per-hostname basis. These settings are described below.
HTTP Strict-Transport-Security (HSTS)
You can configure HSTS response headers for all requests on a per-hostname basis. This includes the following directives:
- Maximum Age: you can specify the max-age of the HSTS response by specifying an integer value in seconds. If you do not specify a number in this field we will not include the HSTS header in a response. If you set this number to 0 we will set max-age=0 which is useful to clear any cached max-age values in client browsers.
- includeSubDomain Directive: If you enable this setting we will include the "includeSubDomain" directive in the HSTS header.
- preload Directive: If you enable this setting we will include the "preload" directive in the HSTS header.
For further information on HSTS we recommend you review the OWASP HSTS Cheat Sheet which has a lot of great information on this topic.
A best practice when enabling HSTS is to also enable HTTPS Upgrade. When this setting is enabled and we receive a HTTP (insecure) request on this hostname we will first redirect to a HTTPS (secured) version of this URL on the same hostname before redirecting the visitor to the target URL you have configured.
When this setting is enabled we will add several HTTP headers to all responses on the configured hostname. These HTTP headers are as follows:
- X-Frame-Options: DENY
- Content-Security-Policy: default-src 'self'
- X-XSS-Protection: 1; mode=block
If you have any questions about these security settings please don't hesitate to reach out. We're happy to guide you further.