HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites from malicious activities and informs user agents and web browsers how to handle its connection through a response header. Whenever a website connects through HTTP and then redirects to HTTPS, an opportunity for a man-in-the-middle attack is created and the redirect can lead the users to a malicious website because users first have to communicate with the non-encrypted version of the website. A server implements the HSTS policy by supplying a header over an HTTPS connection which informs the browser to load a site using HTTPS rather than HTTP.
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload
- <expire-time>: This mentions the time in seconds for which the user agent or browser should only access the server in a secure fashion by using HTTP.
- includeSubDomains: This directs the browser to apply the rule to all pages and sub-domains of the site as well.
- preload: This is necessary for inclusion in most major web browsers’ HSTS preload lists.
Explanation: If a user type in an address bar http://www.geeksforgeeks.com/ or geeksforgeeks.com this will create a chance for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.
Strict-Transport-Security: max-age=3600; includeSubDomains
All pages and subdomains will be HTTPS for a max-age of 1 hour. This blocks access to pages or sub domains that cannot be served over HTTPS.
Strict-Transport-Security: max-age=7200; includeSubDomains; preload
All present and future sub-domains will be HTTPS for a max-age of 2 hour. It also has preload as the suffix which is necessary in most major web browsers’ HSTS pre-load lists.
To check this Strict-Transport-Security in action go to Inspect Element -> Network check the response header for Strict-Transport-Security like below, Strict-Transport-Security is highlighted you can see.
Supported Browsers: The following browsers are compatible with HTTP Strict-Transport-Security.
- Google Chrome 4.0
- Internet Explorer 11.0
- Firefox 4.0
- Safari 7.0
- Opera 12.0
- HTTP headers | Access-Control-Expose-Headers
- HTTP headers | Access-Control-Allow-Headers.
- HTTP headers | Access-Control-Request-Headers
- HTTP headers | Location
- HTTP headers | User-Agent
- HTTP headers | Link
- HTTP headers | Save-Data
- HTTP headers | Content-Type
- HTTP headers | X-Forwarded-Proto
- HTTP headers | X-XSS-Protection
- HTTP headers | X-Frame-Options
- HTTP headers | Last-Modified
- HTTP headers | Date
- HTTP headers | Cookie
- HTTP headers | Expect
- HTTP headers | Accept-Encoding
- HTTP headers | Proxy-Authenticate
- HTTP headers | Content-Range
- HTTP headers | Content-Encoding
- HTTP headers | Content-Language
If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to firstname.lastname@example.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.
Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.