HTTP Strict Transport Security (HSTS)

Purpose

Why use this header at all?

The HSTS header informs the client (browser) that this domain supports HTTPS communications, and that the browser must ignore any HTTP requests transmitted.

Recommendation

Consider the Impact of Compliance section below to see if this recommendation works for you.

Enable this header with a long validity period, including subdomains and preloading if you do not have a requirement to support HTTP. More information, and to submit your site to the preloading list can be found on hstspreload.org.

Risk Mitigated

By following this recommendation, what risk is mitigated?

HSTS will prevent HTTP downgrade and man-in-the-middle (MiTM) attacks.

Impact of Compliance

By using this header, you may expect these changes in your site's functionality

If you or your customers have a technical need for HTTP or expect to within the next year, you should not enable this header. Once enabled, HTTP communication becomes impossible until the max-age parameter has elapsed.

Next Steps

What you can do to get there

Your server software should provide a mechanism for adding additional headers, such as this one.

Example

What this header may look like when implemented securely

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload


Read More!

Welcome! The library is new, and has some content to read over -- We'll be adding more soon!