aixlabDocs
GitHub Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. aixlabDocs
  2. /
  3. Implementation Rules
  4. /
  5. Security Rules
  6. /
  7. Application Security
  8. /
  9. HTTP Securty Headers
  10. /
  11. HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS)

One minute to read HSTS HTTP headers HTTP Strict Transport Security SSL

HTTP Strict Transport Security (HSTS) is an HTTP header that instructs clients, such as web browsers, to only access a website over encrypted HTTPS connections. Clients that respect this header will automatically upgrade all connection attempts from HTTP to HTTPS.

After a client receives the HSTS header upon its first website visit, future connections to that website are protected against Man-in-the-Middle attacks that attempt to downgrade the connection to unencrypted HTTP.

The browser will expire the HSTS header after the number of seconds configured in the max-age attribute.

You can determine whether or not an HSTS header is present by checking the domain against https://gf.dev/hsts-test. Alternatively, you can validate with the Google Chrome developer tools when examining the header “Strict-Transport-Security”.

You may want to perform additional preloading efforts against the domain, validating with https://hstspreload.org/.

source

Generate the HTST Header

  • max-age should ad least be set to 1 year (31536000).
  • includeSubDomains should be set to push hsts to all subdomains.
  • preload indicates that the domain should be put in a central list.
 Strict-Transport-Security: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload