<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview [1] [2]
[{$pagename}] is the [HTTP] response [HTTP Header Field] from the [Server] to the [User-agent] for [HTTP Strict Transport Security] Policy. ([RFC 6797])[{$pagename}] is one attempt reduce the [Public Key Infrastructure Weaknesses] [Attack Surface]

!! [{$pagename}] [Examples] [1]
%%prettify 
{{{
Strict-Transport-Security: max-age=&lt;expire-time&gt;
Strict-Transport-Security: max-age=&lt;expire-time&gt;; includeSubDomains
Strict-Transport-Security: max-age=&lt;expire-time&gt;; preload
}}} 
/%! Directives
* max-age=&lt;expire-time&gt; - The time, in seconds, that the [browser] should remember that a site is only to be accessed using [HTTPS].
* includeSubDomains - [OPTIONAL] - If this optional parameter is specified, this rule applies to all of the site's subdomains as well.
* preload - [OPTIONAL] - See Preloading Strict Transport Security for details. __NOT part of the specification__. The preload directive is [browser] dependent

!! [{$pagename}] [Browser]/[User-agent]
When a [Website] is accessed using [HTTPS] and it returns the [{$pagename}] header, the [browser] records this information, so that future attempts to load the site using [HTTP] will automatically use [HTTPS] instead.

When the [Expiration Date] specified by the [{$pagename}] header elapses, the next attempt to load the site via [HTTP] will proceed as normal instead of automatically using [HTTPS].

Whenever the [{$pagename}] header is delivered to the [browser], it will update the [Expiration Date] for that [Website], so sites can refresh this information and prevent the timeout from expiring. 

Should it be necessary to __disable__ [{$pagename}], setting the max-age to 0 (over a [HTTPS] connection) will immediately expire the [{$pagename}] header, allowing access via [HTTP].!! Preloading [{$pagename}]
[Google] maintains an [HSTS] preload service. By following the guidelines and successfully submitting your domain, [browsers] will never connect to your domain using an insecure connection. While the service is hosted by [Google], all browsers have stated an intent to use (or actually started using) the preload list. However, it is not part of the [HSTS] [specification] and should not be treated as official.
* Information regarding the [HSTS] preload list in Chrome : 
** The List: [https://www.chromium.org/hsts|https://www.chromium.org/hsts|target='_blank']
** Add a [website] that is __hardcoded into [Chrome] as being [HTTPS] only __can be submitted it at [https://hstspreload.org|https://hstspreload.org|target='_blank']
* Consultation of the [Firefox] [HSTS] preload list : [nsSTSPreloadList.inc|https://dxr.mozilla.org/comm-central/source/mozilla/security/manager/ssl/nsSTSPreloadList.inc|target='_blank']
** This is a list that is used by [Mozilla]'s [Network Security Services] as sites that permanently use [HTTPS]!! [Domain Name System] _NOT_ [IP Address]
[{$pagename}] Hosts are identified only via domain names -- explicit IP address identification of all forms is excluded. 
[RFC 6797] Appendix A explicitly exclude [IP Address]es

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Strict-Transport-Security|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security|target='_blank'] - based on information obtained 2018-05-12- 
* [#2] - [HTTP_Strict_Transport_Security|Wikipedia:HTTP_Strict_Transport_Security|target='_blank'] - based on information obtained 2018-07-31- 
</pre>