Strict-Transport-Security: max-age=<expire-time> Strict-Transport-Security: max-age=<expire-time>; includeSubDomains Strict-Transport-Security: max-age=<expire-time>; preload
- max-age=<expire-time> - The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
- includeSubDomains - OPTIONAL - If this optional parameter is specified, this rule applies to all of the site's subdomains as well.
- preload - OPTIONAL - See Preloading Strict Transport Security for details. NOT part of the specification. The preload directive is browser dependent
Strict-Transport-Security Browser/User-agent#When a Website is accessed using HTTPS and it returns the Strict-Transport-Security header, the browser records this information, so that future attempts to load the site using HTTP will automatically use HTTPS instead.
Whenever the Strict-Transport-Security header is delivered to the browser, it will update the Expiration Date for that Website, so sites can refresh this information and prevent the timeout from expiring.
Preloading Strict-Transport-Security#Google maintains an HSTS preload service. By following the guidelines and successfully submitting your domain, browsers will never connect to your domain using an insecure connection. While the service is hosted by Google, all browsers have stated an intent to use (or actually started using) the preload list. However, it is not part of the HSTS specification and should not be treated as official.
- Information regarding the HSTS preload list in Chrome :
- Consultation of the Firefox HSTS preload list : nsSTSPreloadList.inc