HTTP Strict Transport Security (HSTS)
Why use this header at all?
The HSTS header informs the client (browser) that this domain supports HTTPS communications, and that the browser must ignore any HTTP requests transmitted.
Consider the Impact of Compliance section below to see if this recommendation works for you.
Enable this header with a long validity period, including subdomains and preloading if you do not have a requirement to support HTTP. More information, and to submit your site to the preloading list can be found on hstspreload.org.
By following this recommendation, what risk is mitigated?
HSTS will prevent HTTP downgrade and man-in-the-middle (MiTM) attacks.
Impact of Compliance
By using this header, you may expect these changes in your site's functionality
If you or your customers have a technical need for HTTP or expect to within the next year, you should not enable this header. Once enabled, HTTP communication becomes impossible until the
max-age parameter has elapsed.
What you can do to get there
Your server software should provide a mechanism for adding additional headers, such as this one.
What this header may look like when implemented securely
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
- Cache Control
- Cookie Flags: Secure
- Cookie Flags: HTTPOnly
- HTTP Strict Transport Security (HSTS)
- HTTP Public Key Pinning (HPKP)