Strict-Transport-Security
Description
The Strict-Transport-Security response header (often abbreviated as HSTS) is a security feature that tells browsers to only access the website using HTTPS instead of HTTP. Once a browser receives this header from a website, it will automatically convert all attempts to access the site using HTTP to HTTPS for a specified period of time.
This header helps protect against several types of attacks, including: - Man-in-the-middle attacks: By preventing HTTP connections that could be intercepted - Protocol downgrade attacks: By preventing attackers from forcing users to connect via unencrypted HTTP - Cookie hijacking: By ensuring cookies are always sent over encrypted connections
HSTS is particularly valuable for websites that handle sensitive information, as it provides an additional layer of security beyond using HTTPS certificates alone.
Syntax
The syntax of the Strict-Transport-Security header follows this structure:
max-age=<seconds>: Required parameter specifying how long (in seconds) browsers should remember that the site should only be accessed using HTTPS.includeSubDomains: Optional directive indicating that the HSTS policy applies to all subdomains of the current domain.preload: Optional directive indicating that the site owner consents to having their domain preloaded in browsers (must be explicitly added to browser preload lists separately).
Example Syntax
This example tells browsers to remember to use HTTPS for this domain and all its subdomains for one year (31,536,000 seconds).
Examples
Basic HSTS Example
A response with a simple HSTS header:
HTTP/1.1 200 OK
Date: Mon, 02 Jun 2025 20:00:00 GMT
Content-Type: text/html; charset=UTF-8
Strict-Transport-Security: max-age=31536000
Content-Length: 1234
<!DOCTYPE html>
<html>
<head><title>Secure Website</title></head>
<body><p>This website enforces HTTPS connections.</p></body>
</html>
HSTS with SubDomains Example
A response extending HSTS protection to all subdomains:
HTTP/1.1 200 OK
Date: Mon, 02 Jun 2025 20:10:30 GMT
Content-Type: text/html; charset=UTF-8
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 1345
<!DOCTYPE html>
<html>
<head><title>Secure Website</title></head>
<body><p>This website and all its subdomains enforce HTTPS connections.</p></body>
</html>
HSTS with Preload List Eligibility
A response indicating eligibility for browser preload lists:
HTTP/1.1 200 OK
Date: Mon, 02 Jun 2025 20:20:45 GMT
Content-Type: text/html; charset=UTF-8
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Length: 1456
<!DOCTYPE html>
<html>
<head><title>Secure Website</title></head>
<body><p>This website is eligible for HSTS preloading in browsers.</p></body>
</html>
With the preload directive, the site owner indicates consent for the domain to be included in browser HSTS preload lists. However, the site must still be manually submitted to these lists (e.g., at hstspreload.org) and meet certain requirements.
Short-term HSTS Example
A response with a shorter HSTS duration for testing purposes:
HTTP/1.1 200 OK
Date: Mon, 02 Jun 2025 20:30:15 GMT
Content-Type: text/html; charset=UTF-8
Strict-Transport-Security: max-age=3600
Content-Length: 1234
<!DOCTYPE html>
<html>
<head><title>Secure Website (Testing HSTS)</title></head>
<body><p>This website is testing HSTS with a short duration.</p></body>
</html>
This example sets the HSTS policy for only one hour (3600 seconds), which is useful during initial testing before committing to a longer duration.
Summary
The Strict-Transport-Security response header is a powerful security feature that helps protect websites and their users by enforcing HTTPS connections. By instructing browsers to only use secure connections for a specified period, HSTS helps prevent various attack vectors that exploit unencrypted HTTP traffic. When implementing HSTS, it's important to consider the appropriate max-age value (typically one year for production sites), whether to include subdomains, and whether to pursue preload list inclusion for maximum security. Since HSTS has a lasting effect in browsers, it should be deployed carefully, often starting with shorter durations during testing before committing to longer periods in production.