Oct 22, 2018

HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is a simple and widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS. HSTS exists to remove the need for the common, insecure practice of redirecting users from http:// to https:// URLs.
When a browser knows that a domain has enabled HSTS, it does two things:
  • Always uses an https:// connection, even when clicking on an http:// link or after typing a domain into the location bar without specifying a protocol.
  • Removes the ability for users to click through warnings about invalid certificates.
A domain instructs browsers that it has enabled HSTS by returning an HTTP header over an HTTPS connection.
In its simplest form, the policy tells a browser to enable HSTS for that exact domain or subdomain, and to remember it for a given number of seconds:
Strict-Transport-Security: max-age=31536000;
In its strongest and recommended form, the HSTS policy includes all subdomains, and indicates a willingness to be “preloaded” into browsers:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload