HTTP - Strict Transport Security (HSTS) - mandatory HTTPS
Table of Contents
1 - About
Strict Transport Security (HSTS) is a header that tell the client that the website should always be contacted with HTTPS
2 - Articles Related
3 - Effect
When HSTS is on, if it's not possible to make a https connection (for instance if the certificate is not valid), the user will not be able to navigate the website and will get this message.
4 - Management
4.1 - Set
Example with Apache - HTTP Header (mod_header module)
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains"
4.2 - Hardcoded in chrome (preload)
To submit domains for hard coded inclusion in Chrome's HTTP Strict Transport Security (HSTS) preload list:
- Add the preload tag to the value
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
- and submit the website here: https://hstspreload.org/