Strict-Transport-Security

The HTTP Strict-Transport-Security response header is a security measure that informs clients that the site and its resources shall only be accessed using HTTPS.

Usage

When the HTTP Strict-Transport-Security response header is included, clients must only interact with the site using the HTTPS protocol. If HTTP is used then the connections will be automatically upgraded to HTTPS. If the more secure protocol is not available then access to the resources is blocked. There are three directives including max-age, includeSubDomains, and preload.

max-age=

The max-age=<seconds> attribute is required and it is used to set the number of seconds which the client can access the site using HTTPS. The recommended value is two years, or 63,072,000 seconds.

includeSubDomains

When the includeSubDomains attribute is present, the HTTPS requirement applies to all of the site’s subdomains.

preload

The preload attribute is not part of the standard. Rather, it is an HSTS preload service that is maintained by Google. If a domain is submitted to the service and available for preloading then it will never be connected using HTTP. Supporting browsers will automatically substitute HTTPS if the HTTP scheme is entered into the address bar.

Example

In this example, the server is telling the client to only use HTTPS for the next year. Access to the domain or any of its subdomains will be refused if the HTTPS protocol is not available.

Response

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Takeaway

The HTTP Strict-Transport-Security response header is used to inform the client that it needs to use HTTPS, rather than HTTP, for a set time.

See also

Last updated: June 2, 2022