HTTP - Strict Transport Security (HSTS) - mandatory HTTPS

1 - About

Strict Transport Security (HSTS) is a header that tell the client that the website should always be contacted with HTTPS

3 - Effect

When HSTS is on, if it's not possible to make a https connection (for instance if the certificate is not valid), the user will not be able to navigate the website and will get this message.

4 - Management

4.1 - Set

Example with Apache - HTTP Header (mod_header module)


Header set Strict-Transport-Security "max-age=63072000; includeSubDomains"

4.2 - Hardcoded in chrome (preload)

To submit domains for hard coded inclusion in Chrome's HTTP Strict Transport Security (HSTS) preload list:

  • Add the preload tag to the value

Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

4.3 - Delete

In chrome


chrome://net-internals/#hsts

  • then delete

5 - Documentation / Reference


Data Science
Data Analysis
Statistics
Data Science
Linear Algebra Mathematics
Trigonometry

Powered by ComboStrap