HSTS (HTTP Strict Transport Security) is a security mechanism that instructs browsers to always connect to a website using HTTPS, even if the user types http:// or follows a plain HTTP link. It is delivered via an HTTP response header and cached by the browser for a set duration.
The HSTS Header
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload- max-age — How long (in seconds) the browser remembers to use HTTPS. 31536000 = 1 year.
- includeSubDomains — Applies the policy to all subdomains.
- preload — Opts the domain into the HSTS preload list (see below).
What HSTS Prevents
- SSL stripping attacks — An attacker intercepts an HTTP request before it redirects to HTTPS. HSTS prevents this by making the browser send HTTPS requests directly.
- Mixed content issues — Forces all resources to load over HTTPS.
- Accidental HTTP access — Users who type the domain without
https://still get a secure connection.
HSTS Preload
The HSTS preload list is a database of domains hardcoded into browsers as HTTPS-only. Even on the very first visit — before any HSTS header can be received — the browser uses HTTPS. Submit your domain at hstspreload.org. This is the strongest form of HSTS enforcement.
Important Consideration
Once HSTS is deployed, the site must maintain a valid HTTPS certificate for the full max-age duration. If HTTPS breaks, users will be completely locked out until the HSTS cache expires or is manually cleared.