Strict-Transport-Security
Response header Security

Overview

Strict-Transport-Security (HSTS) is a security header telling the browser to only ever connect to this site over HTTPS. Once received, for the duration of max-age the browser auto-upgrades any http:// attempt to https:// and won't let the user click through certificate errors.

It is a key defense against SSL stripping (a man-in-the-middle downgrade to HTTP) and hijacking the first plaintext request.

Details

Browsers trust the HSTS header only on HTTPS responses (HSTS on an HTTP response is ignored). On receipt, they internally force all requests to that host over HTTPS for max-age, and with includeSubDomains they apply the same to every subdomain.

preload is special: listing your domain in the browser vendors' preload list forces HTTPS from the very first request even if the user has never visited before. This closes the first-visit vulnerability window, but getting listed is practically hard to undo.

The recommended setup is a long max-age (e.g. 2 years = 63072000) with includeSubDomains, and preload once you're ready. Also configure an HTTP (80) to HTTPS (443) redirect so the initial hit reaches HTTPS.

Syntax

Strict-Transport-Security: max-age=<seconds>[; includeSubDomains][; preload]

e.g. Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Directives / values

max-age=<seconds>How long (seconds) the browser enforces HTTPS. 0 clears the policy immediately.
includeSubDomainsApplies HTTPS enforcement to all subdomains too.
preloadConsents to browser preload-list inclusion — enforces HTTPS from the very first visit.

Notes

Related headers

Content-Security-PolicyUpgrade-Insecure-Requests

Related status codes

Specification