Overview [1] [2]#
Strict-Transport-Security is the HTTP response HTTP Header Field from the Server to the User-agent for HTTP Strict Transport Security Policy. (RFC 6797)Strict-Transport-Security is one attempt reduce the Public Key Infrastructure Weaknesses Attack Surface
Strict-Transport-Security Examples [1]#
Strict-Transport-Security: max-age=<expire-time> Strict-Transport-Security: max-age=<expire-time>; includeSubDomains Strict-Transport-Security: max-age=<expire-time>; preload
Directives#
- max-age=<expire-time> - The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
- includeSubDomains - OPTIONAL - If this optional parameter is specified, this rule applies to all of the site's subdomains as well.
- preload - OPTIONAL - See Preloading Strict Transport Security for details. NOT part of the specification. The preload directive is browser dependent
Strict-Transport-Security Browser/User-agent#
When a Website is accessed using HTTPS and it returns the Strict-Transport-Security header, the browser records this information, so that future attempts to load the site using HTTP will automatically use HTTPS instead.When the Expiration Date specified by the Strict-Transport-Security header elapses, the next attempt to load the site via HTTP will proceed as normal instead of automatically using HTTPS.
Whenever the Strict-Transport-Security header is delivered to the browser, it will update the Expiration Date for that Website, so sites can refresh this information and prevent the timeout from expiring.
Should it be necessary to disable Strict-Transport-Security, setting the max-age to 0 (over a HTTPS connection) will immediately expire the Strict-Transport-Security header, allowing access via HTTP.
Preloading Strict-Transport-Security#
Google maintains an HSTS preload service. By following the guidelines and successfully submitting your domain, browsers will never connect to your domain using an insecure connection. While the service is hosted by Google, all browsers have stated an intent to use (or actually started using) the preload list. However, it is not part of the HSTS specification and should not be treated as official.- Information regarding the HSTS preload list in Chrome :
- The List: https://www.chromium.org/hsts
- Add a website that is hardcoded into Chrome as being HTTPS only can be submitted it at https://hstspreload.org
- The List: https://www.chromium.org/hsts
- Consultation of the Firefox HSTS preload list : nsSTSPreloadList.inc
- This is a list that is used by Mozilla's Network Security Services as sites that permanently use HTTPS
Domain Name System _NOT_ IP Address#
Strict-Transport-Security Hosts are identified only via domain names -- explicit IP address identification of all forms is excluded. RFC 6797 Appendix A explicitly exclude IP AddressesMore Information#
There might be more information for this subject on one of the following:- [#1] - Strict-Transport-Security - based on information obtained 2018-05-12-
- [#2] - HTTP_Strict_Transport_Security - based on information obtained 2018-07-31-
