Network Security
HTTP Strict Transport Security (HSTS)
Also known as: Strict-Transport-Security, HSTS header
Definition
A web security policy delivered via an HTTP response header that tells browsers to access a domain only over HTTPS for a declared period of time.
HSTS, defined in RFC 6797, is signalled by the Strict-Transport-Security response header. Once a compliant browser receives this header, it remembers the policy and automatically upgrades any future request to that host (and optionally its subdomains) to HTTPS, refusing to connect if the TLS handshake or certificate validation fails. This neutralises SSL-stripping and cookie-injection attacks on initial requests. Best practice combines a long max-age, the includeSubDomains directive, the preload directive, and submitting the domain to the browser HSTS preload list so the first visit is also protected.
Examples
- Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
- A bank submitting its apex domain to the Chromium HSTS preload list.
Related terms
HTTPS
HTTPS — definition coming soon.
TLS (Transport Layer Security)
TLS (Transport Layer Security) — definition coming soon.
SSL Stripping
A man-in-the-middle attack that silently downgrades a victim's HTTPS connection to plain HTTP so the attacker can read and modify the traffic.
Secure Cookie Flag
Secure Cookie Flag — definition coming soon.
HTTP Security Headers
HTTP Security Headers — definition coming soon.
Certificate Authority (CA)
A trusted entity that issues and signs digital certificates, binding cryptographic public keys to verified identities such as domain names or organisations.