Home

HSTS

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that allows a website to declare that it should only be accessed via HTTPS, and that any attempt to use HTTP should be automatically upgraded or rejected.

A site enables HSTS by sending the Strict-Transport-Security HTTP response header over a secure connection. The

Once a user’s browser has stored the policy, all subsequent requests to the domain over HTTP are

Preloading requires submitting to a browser vendor’s preload program; if accepted, the policy is enforced by

Benefits and caveats: HSTS helps prevent protocol downgrade and cookie hijacking, but it is not a substitute

header
typically
includes
max-age,
which
specifies
the
duration
in
seconds
that
the
policy
applies,
and
may
include
directives
such
as
includeSubDomains
to
extend
the
policy
to
all
subdomains,
and
preload
to
request
inclusion
in
browser
preload
lists.
The
policy
is
defined
in
RFC
6797.
automatically
upgraded
to
HTTPS,
and
non-secure
connections
are
blocked
for
the
max-age
period.
The
initial
connection
may
still
occur
over
HTTP
if
the
policy
has
not
yet
been
seen
by
the
browser,
which
is
why
some
sites
opt
to
participate
in
the
preload
list
so
the
policy
is
enforced
from
the
first
visit.
major
browsers
from
the
very
first
visit.
To
participate,
a
site
must
serve
requests
over
HTTPS,
specify
a
long
max-age
(often
one
year
or
more),
and
includeSubDomains.
for
proper
TLS
or
for
verifying
the
server’s
identity.
Misconfigurations
can
lock
services
out
of
subdomains,
or
cause
breakage
if
mixed
content
or
HTTP
resources
are
loaded.
It
does
not
protect
against
social
engineering
or
phishing,
and
it
provides
no
security
if
a
user
first
visits
over
HTTP
before
the
policy
is
known.