What is HSTS, and how do we enable it for our site?
HSTS (HTTP Strict Transport Security)
Oracle B2C Service, All supported versions
Sites that use custom domain SSL
We are interested in learning about HSTS (HTTP Strict Transport Security), and/or would like to have it enabled for our site.
HSTS stands for HTTP Strict Transport Security, and helps to further protect websites from malicious activity by requiring the use of HTTPS only through various means, for all transactions between the client device and our servers. This will apply to your end-user's experience on your customer portal as well as to your agents' instances of the admin console. HSTS is useful in helping to prevent downgrade attacks and cookie hijacking by imposing strict browsing requirements to client devices.
The 'preload' option can be employed too, which tells major browsers to include your custom domain in their published releases, further enhancing security by ensuring that the parent domain has been validated by Mozilla Firefox, Microsoft IE/Edge, Google Chrome, etc. Once the domain is submitted to be included in the preload list, the change cannot be reversed by Oracle.
If you are interested in enabling HSTS for your B2C Service instance, please submit a ticket to Technical Support. You must first have your own custom domain in place for the relevant interface, and ensure that your internal network is properly set up for SSL only.