https HTTP Strict Transport Security (HSTS) HSTS Header


Example

Strict-Transport-Security: max-age=31536000; includeSubDomains

Strict-Transport-Security is a promise to the browser that all future requests to this domain will be secure.
For the future time period max-age:

  • All outgoing HTTP requests from the browser will be converted to HTTPS on the client (not an HTTP redirect).
  • If the certificate is invalid (e.g. outdated or self-singed), the user will be unable to white-list it and the site will remain inaccessible.

HSTS behavior is meant to eliminate Man-in-the-Middle attacks that use HTTPS stripping, issuing of invalid certificates (and expecting the user to add and exception), and redirecting on HTTP requests to another destination.