HSTS Header: A Security Measure

Shaikat Ray

HSTS or HTTP Strict Transport Security is a response header served by the server that tells browser to load everything over HTTPS.

“The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.”

MDN Web Docs

Use Google’s preferred preloading service for HSTS: https://hstspreload.org/ for Chrome inclusions.

Example:

Strict-Transport-Security: max-age=<expire-time in seconds>; includeSubDomains; preload

Note: includeSubDomains and preload are optional.

When using preload, the max-age directive must be at least 31536000 (1 year) but 63072000 (2 year recommended) and the includeSubDomains directive must be present. Not part of the specification.

Here’s the current preloaded list of sites on:

a. Chrome: https://source.chromium.org/chromium/chromium/src/+/main:net/http/transport_security_state_static.json

b. Firefox: https://searchfox.org/mozilla-central/source/security/manager/ssl/nsSTSPreloadList.inc

Recommended Reading

a. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security