HTTP Strict Transport Security (HSTS) in Arc

The HTTP Strict Transport Security (HSTS) response header instructs browsers to only access Arc over HTTPS, never over HTTP. This prevents protocol downgrade attacks and cookie hijacking.

Configuration

Open settings.yml in the Arc installation directory and add the following parameter:

Save the file, restart Arc, and then establish an initial connection. The HSTS header will be present on all subsequent responses.

Behaviour When Enabled

• Arc sets the HSTS max-age to 2 years.

• The policy applies to all subdomains.

• After the first connection, browsers will automatically redirect all HTTP requests to HTTPS.

Removing the HSTS Header

To remove HSTS, you must do both of the following:

1. Set usehsts: false in settings.yml and restart Arc.

2. Manually remove the domain from the HSTS cache in the browser (browser-specific — typically found in browser security/privacy settings).

Warning: Setting usehsts: false alone is not sufficient. The browser will continue enforcing HTTPS until its HSTS cache entry expires or is manually cleared.

Additional Information

More information about all available security settings can be found in the settings.sample.yml file inside the Arc installation directory.

Related Pages

• Enabling TLS Protocols in Arc

• Using TLS Protocols v1.2+ with Arc

• Arc settings.yml File