Skip to content
Related Articles
Get the best out of our app
GeeksforGeeks App
Open App

Related Articles

HTTP headers | Strict-Transport-Security

Improve Article
Save Article
Like Article
Improve Article
Save Article
Like Article

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites from malicious activities and informs user agents and web browsers how to handle its connection through a response header. Whenever a website connects through HTTP and then redirects to HTTPS, an opportunity for a man-in-the-middle attack is created and the redirect can lead the users to a malicious website because users first have to communicate with the non-encrypted version of the website. A server implements the HSTS policy by supplying a header over an HTTPS connection which informs the browser to load a site using HTTPS rather than HTTP.


Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload


  • <expire-time>: This mentions the time in seconds for which the user agent or browser should only access the server in a secure fashion by using HTTP.
  • includeSubDomains: This directs the browser to apply the rule to all pages and sub-domains of the site as well.
  • preload: This is necessary for inclusion in most major web browsers’ HSTS preload lists.

Explanation: If a user type in an address bar or this will create a chance for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.


Strict-Transport-Security: max-age=3600; includeSubDomains

All pages and subdomains will be HTTPS for a max-age of 1 hour. This blocks access to pages or sub domains that cannot be served over HTTPS.

Strict-Transport-Security: max-age=7200; includeSubDomains; preload

All present and future sub-domains will be HTTPS for a max-age of 2 hour. It also has preload as the suffix which is necessary in most major web browsers’ HSTS pre-load lists.

To check this Strict-Transport-Security in action go to Inspect Element -> Network check the response header for Strict-Transport-Security like below, Strict-Transport-Security is highlighted you can see.

Supported Browsers: The following browsers are compatible with HTTP Strict-Transport-Security.

  • Google Chrome 4.0
  • Internet Explorer 11.0
  • Firefox 4.0
  • Safari 7.0
  • Opera 12.0
My Personal Notes arrow_drop_up
Last Updated : 05 Nov, 2019
Like Article
Save Article
Similar Reads
Related Tutorials