HTTP Security Headers: Strict-Transport-Security
Author: HollyGraceful Published: 06 August 2021 Last Updated: 03 November 2022
Transport Layer Security (TLS), and its deprecated predecessor Secure Sockets Layer (SSL), are protocols that can be used to protect information in transit – and are the underlying protocols used by HTTPS to protect web traffic. They are designed to prevent an attacker who is able to intercept messages from being able to read or modify the contents of those messages.
Many web servers operate by redirecting users who request a HTTP (unencrypted) page to the HTTPS equivalent, however the initial plaintext connection is therefore at risk of interception and modification.
HTTP Strict Transport Security (HSTS) enforces the use of HTTPS in the web browser, ensuring that no information is sent to the domain (and optionally subdomains too), even if the user attempts to navigate to a HTTP page. This additionally mitigates the risk of cookies without the "secure" flag set, by enforcing all traffic is HTTPS only.
HSTS can be enabled by supplying the Strict-Transport-Security HTTP response header. The max age directive must also be supplied, which specifies for how many seconds the header should be enforced. It is recommended that the max-age is set to at least 180 days. For example:
It is also recommended that the header is configured to include sub-domains, so that all subdomains are protected, by using the includeSubDomains directive.
Additionally, it is recommended that preloading is enabled using the preload directive and that the site is submitted to the browser preload lists. This ensures that the first connection to the server uses HTTPS even if the user has never visited the site before. The following example includes these recommended directives:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload