HTTP - Strict Transport Security (HSTS) - mandatory HTTPS

HTTP - Strict Transport Security (HSTS) - mandatory HTTPS

About

Strict Transport Security (HSTS) is a header that tells the client that the website should always be contacted with HTTPS

Effect

When HSTS is on, if it's not possible to make a https connection (for instance if the certificate is not valid), the user will not be able to navigate the website and will get this message.

Management

Set

Recommended value:

Strict-Transport-Security: max-age=31536000; includeSubDomains

Example in Apache The Apache htaccess file with Apache - HTTP Header (mod_header module)

Header set Strict-Transport-Security "max-age=63072000; includeSubDomains"

Hardcoded in chrome (preload)

To submit domains for hard coded inclusion in Chrome's HTTP Strict Transport Security (HSTS) preload list:

Add the preload tag to the value

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

and submit the website here: https://hstspreload.org/

Delete

In chrome

chrome://net-internals/#hsts

then delete

Documentation / Reference

Strict-Transport-Security

Recommended Pages

HTTP - HTTPS scheme (HTTP-over-TLS)

The https scheme represents HTTP-over-TLS HTTP is a application protocol (OSI level 7) that is build on TCP as transport layer (OSI level 3) HTTPS is essentially HTTP after the connection has been se "...

HTTP - Security Headers

in HTTP Articles Related Header response HTTP header that control the browser and have an effect on security: Content-Security-Policy: : to prevent cross-site scripting (XSS), clickjacking and other "...

Share this page: