HTTP - Strict Transport Security (HSTS) - mandatory HTTPS

HTTP - Strict Transport Security (HSTS) - mandatory HTTPS

About

Strict Transport Security (HSTS) is a header that tells the client that the website should always be contacted with HTTPS

Effect

When HSTS is on, if it's not possible to make a https connection (for instance if the certificate is not valid), the user will not be able to navigate the website and will get this message.

Management

Set

Recommended value:

Strict-Transport-Security: max-age=31536000; includeSubDomains

Example in Apache The Apache htaccess file with Apache - HTTP Header (mod_header module)

Header set Strict-Transport-Security "max-age=63072000; includeSubDomains"

Hardcoded in chrome (preload)

To submit domains for hard coded inclusion in Chrome's HTTP Strict Transport Security (HSTS) preload list:

Add the preload tag to the value

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

and submit the website here: https://hstspreload.org/

Delete

In chrome

chrome://net-internals/#hsts

then delete

Documentation / Reference

Strict-Transport-Security

Recommended Pages

HTTP - HTTPS scheme (HTTP-over-TLS)

The https scheme represents HTTP-over-TLS HTTP is a application protocol (OSI level 7) that is build on TCP as transport layer (OSI level 3) HTTPS is essentially HTTP after the connection has been se "...

HTTP - Security Headers

In HTTP, the security is done via the setting of response header known as security header. They drives the execution of the browser page load Header response HTTP header that control the browser and h "...

Share this page: