As many customers asked for it, we’re happy to announce that Microsoft Exchange Server now officially supports HTTP Strict Transport Security, also known as HSTS.
What is HSTS and how can it help p...
Updated Aug 31, 2023
Version 2.0
Blog Post
According to my knowledge, No. its not for Autodiscover URL.
HSTS is a policy mechanism that helps to protect websites (OWA or ECP when it comes to Exchange Server) against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It is a widely supported standard that was defined in RFC 6797.
It allows web servers to declare that web browsers should only interact with them using HTTPS connections, which provide encryption and authentication. The browser is instructed to enforce HSTS when it receives the Strict-Transport-Security (STS) header over an HTTPS connection.
HSTS prevents users from bypassing invalid certificate warnings (for example, expired, invalid or not trusted certificates, name mismatches…), which could indicate a compromised connection.
If an attacker tries to perform a protocol downgrade attack or a man-in-the-middle attack, the browser will detect the violation of the HSTS policy and abort the connection.