Strict-Transport-Security
The HTTP Strict-Transport-Security response header instructs browsers to access a site exclusively over HTTPS for a specified duration.
Baseline: Widely available
Supported across all major browsers. webstatus.dev
Usage
The Strict-Transport-Security header is the mechanism behind HTTP Strict Transport Security (HSTS). When a browser receives this header over a secure connection, the browser records the directive and automatically upgrades all future HTTP requests to HTTPS for the specified domain. If the secure connection is unavailable, the browser refuses access entirely rather than falling back to plain HTTP.
This header is only respected when delivered over HTTPS. A response served over plain HTTP containing Strict-Transport-Security is ignored, because an attacker on the network path is able to inject or modify the header.
The header accepts three directives: max-age,
includeSubDomains, and preload.
Directives
max-age
The max-age directive is required. The value specifies the
number of seconds the browser remembers to enforce HTTPS for
the domain. A common production value is 63072000 (two
years). Setting max-age=0 immediately clears the HSTS
entry from the browser cache.
includeSubDomains
The includeSubDomains directive extends the HTTPS
enforcement to every subdomain of the host. Without this
directive, HSTS applies only to the exact domain in the
response. Adding includeSubDomains prevents an attacker
from exploiting a plain-HTTP subdomain to set
Cookies or redirect traffic.
preload
The preload directive is not part of the HSTS
specification. Browser vendors maintain HSTS preload
lists, and the
preload directive signals the domain owner's intent to be
included. Once a domain appears on a preload list, browsers
enforce HTTPS from the first connection, eliminating the
window of vulnerability before the first Strict-Transport-Security
header is received. Submitting a domain to the preload list
requires max-age of at least two years and the
includeSubDomains directive.
Example
A server enforcing HTTPS for two years across all subdomains, with preload eligibility:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
A minimal configuration setting HSTS for six months on the primary domain only:
Strict-Transport-Security: max-age=15768000
Clearing the HSTS entry by resetting the max-age to zero, useful during migrations or testing:
Strict-Transport-Security: max-age=0
Takeaway
The Strict-Transport-Security header forces browsers to use HTTPS for all future requests to the domain, removing the possibility of plaintext HTTP connections after the first secure visit.