HTTP Strict Transport Security (HSTS)
Purpose
Why use this header at all?
The HSTS header informs the client (browser) that this domain supports HTTPS communications, and that the browser must ignore any HTTP requests transmitted.
Recommendation
Consider the Impact of Compliance section below to see if this recommendation works for you.
Enable this header with a long validity period, including subdomains and preloading if you do not have a requirement to support HTTP. More information, and to submit your site to the preloading list can be found on hstspreload.org.
Risk Mitigated
By following this recommendation, what risk is mitigated?
HSTS will prevent HTTP downgrade and man-in-the-middle (MiTM) attacks.
Impact of Compliance
By using this header, you may expect these changes in your site's functionality
If you or your customers have a technical need for HTTP or expect to within the next year, you should not enable this header. Once enabled, HTTP communication becomes impossible until the max-age parameter has elapsed.
Next Steps
What you can do to get there
Your server software should provide a mechanism for adding additional headers, such as this one.
Example
What this header may look like when implemented securely
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Read More!
Welcome! The library is new, and has some content to read over -- We'll be adding more soon!
- Cache Control
- Cookie Flags: Secure
- Cookie Flags: HTTPOnly
- HTTP Strict Transport Security (HSTS)
- HTTP Public Key Pinning (HPKP)
- Pragma
- Server
- X-Frame-Options
- X-Powered-By
- X-XSS-Protection