Strict-Transport-Security is the HTTP response HTTP Header Field from the Server to the User-agent for HTTP Strict Transport Security Policy. (RFC 6797)

Strict-Transport-Security Examples [1]#

Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload


  • max-age=<expire-time> - The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
  • includeSubDomains - OPTIONAL - If this optional parameter is specified, this rule applies to all of the site's subdomains as well.
  • preload - OPTIONAL - See Preloading Strict Transport Security for details. Not part of the specification.

The preload directive is browser dependent

More Information#

There might be more information for this subject on one of the following: