Header: Strict-Transport-Security (HSTS)
The Strict-Transport-Security header, or HSTS for short, is an http response header that instructs the user agent to only communicate with the requested website via a secure connection (HTTPS).
When a website sends the HSTS header in a response back to the client, the UA is instructed to communicate only by means of secure connections (HTTPS). Each additional http request to the website is automatically converted from the UA to https, so the use of the HSTS header is more secure than a normal HTTP to HTTPS (301) redirect, as the initial request is vulnerable to Bootstrap man-in-the-middle attacks.
Syntax
Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload
Directives
max-age
The required max-age directive specifies the number of seconds the User-Agent remembers the HSTS state.
includeSubDomains
The includeSubDomains directive is a optional and valueless directive which signals the User-Agent (e.g. Browser) that the HSTS policy applies to the requested host as well as any subdomains.
preload
The optional and non-official preload directive indicates that the requested origin is preloaded and supporting User-Agents will never connect in an unsecure way with your site.
Webserver configuration
NGINX
To configure hsts on an nginx server you need the add_header directive, which can be placed in the http, server or location context in your virtual host configuration file.
add_header Strict-Transport-Security "max-age=63115200; includeSubDomains; preload" always;
Apache
For the hsts configuration with an Apache server you need the Header set directive.
Header always set Strict-Transport-Security "max-age=63115200; includeSubDomains; preload"
FAQ
- The max-age directive must be at least one year (31536000 seconds).
- The includeSubDomains directive must be specified.
- The preload directive must be specified.
Strict-Transport-Security max-age=63115200; includeSubDomains; preload