| Docs

Header: Strict-Transport-Security (HSTS)

The Strict-Transport-Security header, or HSTS for short, is an http response header that instructs the user agent to only communicate with the requested website via a secure connection (HTTPS).

When a website sends the HSTS header in a response back to the client, the UA is instructed to communicate only by means of secure connections (HTTPS). Each additional http request to the website is automatically converted from the UA to https, so the use of the HSTS header is more secure than a normal HTTP to HTTPS (301) redirect, as the initial request is vulnerable to Bootstrap man-in-the-middle attacks.

Syntax

Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload

Directives

max-age

The required max-age directive specifies the number of seconds the User-Agent remembers the HSTS state.

includeSubDomains

The includeSubDomains directive is a optional and valueless directive which signals the User-Agent (e.g. Browser) that the HSTS policy applies to the requested host as well as any subdomains.

preload

The optional and non-official preload directive indicates that the requested origin is preloaded and supporting User-Agents will never connect in an unsecure way with your site.

Webserver configuration

NGINX

To configure hsts on an nginx server you need the add_header directive, which can be placed in the http, server or location context in your virtual host configuration file.

add_header Strict-Transport-Security "max-age=63115200; includeSubDomains; preload" always;

Apache

For the hsts configuration with an Apache server you need the Header set directive.

Header always set Strict-Transport-Security "max-age=63115200; includeSubDomains; preload"

FAQ

Who should implement the Strict-Transport-Security header?
We highly recommend that the HSTS header is implemented on every website to protect the communication between the clients and the requested servers.
What is the recommended implementation of the hsts header?
  • The max-age directive must be at least one year (31536000 seconds).
  • The includeSubDomains directive must be specified.
  • The preload directive must be specified.
Your hsts header might look like this:
Strict-Transport-Security max-age=63115200; includeSubDomains; preload

References