HTTP Strict Transport Security (HSTS)
What is HTTP Strict Transport Security (HSTS)?
HTTP Strict Transport Security (HSTS)A web security policy delivered via an HTTP response header that tells browsers to access a domain only over HTTPS for a declared period of time.
HSTS, defined in RFC 6797, is signalled by the Strict-Transport-Security response header. Once a compliant browser receives this header, it remembers the policy and automatically upgrades any future request to that host (and optionally its subdomains) to HTTPS, refusing to connect if the TLS handshake or certificate validation fails. This neutralises SSL-stripping and cookie-injection attacks on initial requests. Best practice combines a long max-age, the includeSubDomains directive, the preload directive, and submitting the domain to the browser HSTS preload list so the first visit is also protected.
● Examples
- 01
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
- 02
A bank submitting its apex domain to the Chromium HSTS preload list.
● Frequently asked questions
What is HTTP Strict Transport Security (HSTS)?
A web security policy delivered via an HTTP response header that tells browsers to access a domain only over HTTPS for a declared period of time. It belongs to the Network Security category of cybersecurity.
What does HTTP Strict Transport Security (HSTS) mean?
A web security policy delivered via an HTTP response header that tells browsers to access a domain only over HTTPS for a declared period of time.
How do you defend against HTTP Strict Transport Security (HSTS)?
Defences for HTTP Strict Transport Security (HSTS) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for HTTP Strict Transport Security (HSTS)?
Common alternative names include: Strict-Transport-Security, HSTS header.