Overview [1] [2]#

Strict-Transport-Security is the HTTP response HTTP Header Field from the Server to the User-agent for HTTP Strict Transport Security Policy. (RFC 6797)

Strict-Transport-Security is one attempt reduce the Public Key Infrastructure Weaknesses Attack Surface

Strict-Transport-Security Examples [1]#

Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload


  • max-age=<expire-time> - The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
  • includeSubDomains - OPTIONAL - If this optional parameter is specified, this rule applies to all of the site's subdomains as well.
  • preload - OPTIONAL - See Preloading Strict Transport Security for details. NOT part of the specification. The preload directive is browser dependent

Strict-Transport-Security Browser/User-agent#

When a Website is accessed using HTTPS and it returns the Strict-Transport-Security header, the browser records this information, so that future attempts to load the site using HTTP will automatically use HTTPS instead.

When the Expiration Date specified by the Strict-Transport-Security header elapses, the next attempt to load the site via HTTP will proceed as normal instead of automatically using HTTPS.

Whenever the Strict-Transport-Security header is delivered to the browser, it will update the Expiration Date for that Website, so sites can refresh this information and prevent the timeout from expiring.

Should it be necessary to disable Strict-Transport-Security, setting the max-age to 0 (over a HTTPS connection) will immediately expire the Strict-Transport-Security header, allowing access via HTTP.

Preloading Strict-Transport-Security#

Google maintains an HSTS preload service. By following the guidelines and successfully submitting your domain, browsers will never connect to your domain using an insecure connection. While the service is hosted by Google, all browsers have stated an intent to use (or actually started using) the preload list. However, it is not part of the HSTS specification and should not be treated as official.

Domain Name System _NOT_ IP Address#

Strict-Transport-Security Hosts are identified only via domain names -- explicit IP address identification of all forms is excluded. RFC 6797 Appendix A explicitly exclude IP Addresses

More Information#

There might be more information for this subject on one of the following: