KB-1638 HSTS FAQ

Table of Contents:

Does Appian support HSTS (HTTP Strict Transport Security) headers?

Yes.

How can I enable the HSTS header on Appian Cloud sites?

This is enabled by default on Appian Cloud sites.

How can I enable HSTS on Appian self-managed environments?

This needs to be enabled on the web server that is being used with Appian. Refer to the documentation of the respective web server to find out more on how to implement this feature.

How do I confirm if my Appian site is enabled with the HSTS header?

Use the browser network tool as seen in the following image to confirm whether HSTS is being used:

Does Appian support HSTS Preloading?

Yes.

Is HSTS Preloading enabled on Appian Cloud instances configured with the default appiancloud.com domain?

Yes, HSTS Preloading is implemented for Appian Cloud sites configured with the default domain. The appiancloud.com domain is included in the preload list maintained by Google.

Is HSTS Preloading enabled on Appian Cloud customer instances with custom domains?

Appian Cloud sets the preload directive in the Strict-Transport-Security header for all customer instances including those configured with custom domains. Refer to the Mozilla Developer Network for more details around Preloading  Strict Transport Security.

If customers need their domain preloaded in the list maintained by Google, customers can submit their own custom domain to the HSTS Preload list.

Is HSTS Preloading enabled on Appian Community Edition instances?

At this time, Appian Community Edition (ACE) sites do not have the HSTS preload directive enabled.

How can I enable HSTS Preloading on self-managed environments?

This needs to be enabled on the web server that is being used with Appian using the preload directive in the Strict-Transport-Security header. Refer to the documentation of the respective web server to find out more on how to implement this feature.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: July 2022

Related
Recommended