Highlighted

Technical Advisory: HTTP Strict-Transport-Security Support

Andrew_Gutierre

Employee

20-09-2019

Effective October 3, 2019, Audience Manager (AAM) and Experience Cloud ID Services (ECID) will implement support for HTTP Strict-Transport-Security.

HTTP Strict-Transport-Security (HSTS) is a security policy mechanism that helps protect against cookie hijacking and protocol downgrade attacks by not permitting HTTP traffic and transparently upgrading to HTTPS.

This change is being made to improve data security between the client and Adobe edge servers that support AAM and ECID functionality. The release is also a pre-requisite to changes needed for Chrome’s SameSite cookie labeling requirements.

The following changes will be made as part of this release:

  • Redirect all traffic from HTTP to HTTPS
  • Set the “Strict-Transport-Security” header on HTTPS responses
  • Enable “preload” to make non-compliant clients perform a transparent protocol upgrade

After this change, clients with unsecure websites may see an increase in response times due to the backend redirects required to enforce secure communication.

Based on internal analysis, less than 4% of customer traffic will be impacted by this release, however we recommend all customers ensure they are using HTTPS for their site traffic.

We regret any inconvenience this may cause; however, we take security and compliance seriously and feel that the benefits of this change outweigh the costs.

If you have any questions or concerns, please direct them to your account manager or Customer Care teams.

Sincerely,

- Adobe Audience Manager + Identity Service team (ECID)

Replies