# How to Set Up Strict-Transport-Security (HSTS) in Istio

Secure your website by setting the Strict-Transport-Security HTTP header, or HSTS. This header will inform the browser that it should never load your website using the HTTP protocol, instead, the browser should convert all requests to HTTPS. You can easily configure Istio to set this header on each request.

**Explanation**

If your website accepts connections via HTTP protocol and redirects the user to HTTPS, visitors could get a non-encrypted version of your site before redirecting. This can be the case if the user for example calls **http://**[www.yoursite.com](http://www.yoursite.com) instead of **https://**[www.yoursite.com](http://www.yoursite.com) This creates an opportunity for a [man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). Visitors could be redirected to some kind of evil website and not to the HTTPS version of your site.

**Prerequisites**

* [Create and configure the Istio gateway with your domain](https://istio.io/latest/docs/reference/config/networking/gateway/)
    
* [Configure HTTPS (SSL)](https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/)
    

**Set Strict-Transport-Security (HSTS) header in Istio Virtual-Service**

```yaml
kind: VirtualService
apiVersion: networking.istio.io/v1beta1
metadata:
  name: my-virtual-service
  namespace: default
spec:
  hosts:
   - yoursite.com
  gateways:
    - istio-system/my-gateway
  http:
    - name: default-route
      route:
        - destination:
            host: my-service
            port:
              number: 80
          headers:
            response:
              set:
                Strict-Transport-Security: max-age=31536000; includeSubDomains
```

You can test your configuration here [https://hstspreload.org/](https://hstspreload.org/) or your complete SSL s[e](https://hstspreload.org/)tup including HSTS at [https://www.ssllabs.com/ssltest/.](https://www.ssllabs.com/ssltest/) If your test was successful you could also add the "preload" feature. This will add your website to the major browser's HSTS preload lists. **Before doing so I recommend reading**[**this paragraph**](https://hstspreload.org/#opt-in)**on why you should maybe not activate this feature.**

**Helpful Links**

* [MDN web docs: HTTP Strict-Transport-Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security)
    
* [Istio Docs](https://istio.io/latest/docs/)
    
* [Cert-Manager for Kubernetes](https://cert-manager.io/docs/installation/kubernetes/)
    

Leave a comment or contact me via DM when you have a problem or a question.
