Skip to content

HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is a web security policy mechanism used to enforce secure (HTTPS) connections between a client (such as a web browser) and a server^[600-developer-tools-security-Strict-Transport-Security.md]. Its primary purpose is to protect websites against protocol downgrade attacks and [[Man-in-the-Middle]] (MitM) attacks by ensuring that all communication is encrypted^[600-developer-tools-security-Strict-Transport-Security.md].

How it works

Servers enable HSTS by including the Strict-Transport-Security HTTP header in their responses^[600-developer-tools-security-Strict-Transport-Security.md].

For the policy to be accepted and enforced by the browser, the response containing the header must be transmitted over a secure, encrypted connection (HTTPS)^[600-developer-tools-security-Strict-Transport-Security.md]. If the header is sent over an unencrypted HTTP connection, the browser will ignore it^[600-developer-tools-security-Strict-Transport-Security.md].

When enabled, the browser adheres to two main rules^[600-developer-tools-security-Strict-Transport-Security.md]:

  1. Automatic Upgrade: All requests to the domain are converted to HTTPS. If a user attempts to access the site via an insecure link (e.g., http://example.com), the browser automatically rewrites the request to https://example.com before sending it^[600-developer-tools-security-Strict-Transport-Security.md].
  2. Certificate Enforcement: If the server presents an invalid [[TLS]] certificate, the user is prohibited from bypassing the browser's security warning to access the site^[600-developer-tools-security-Strict-Transport-Security.md].

Configuration

The Strict-Transport-Security header is configured using two primary directives^[600-developer-tools-security-Strict-Transport-Security.md]:

  • max-age: Specifies the duration, in seconds, that the browser should remember to access the site only via HTTPS. A common value is 31536000, representing one year^[600-developer-tools-security-Strict-Transport-Security.md].
  • includeSubDomains: An optional directive that applies the HSTS policy to all subdomains of the current domain as well^[600-developer-tools-security-Strict-Transport-Security.md].

Example

A typical implementation in a server-side environment (like Node.js) looks like this^[600-developer-tools-security-Strict-Transport-Security.md]:

res.setHeader('Strict-Transport-Security', 'max-age=16070400; includeSubDomains')
  • [[HTTPS]]
  • [[TLS]]
  • HTTP Headers
  • [[Content Security Policy]]

Sources

  • 600-developer-tools-security-Strict-Transport-Security.md