Skip to content
Related Articles
Get the best out of our app
GeeksforGeeks App
Open App
geeksforgeeks
Browser
Continue

Related Articles

HTTP headers | Strict-Transport-Security

Improve Article
Save Article
Like Article
author
harshcooldude700
proficient
32 published articles
Improve Article
Save Article
Like Article

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites from malicious activities and informs user agents and web browsers how to handle its connection through a response header. Whenever a website connects through HTTP and then redirects to HTTPS, an opportunity for a man-in-the-middle attack is created and the redirect can lead the users to a malicious website because users first have to communicate with the non-encrypted version of the website. A server implements the HSTS policy by supplying a header over an HTTPS connection which informs the browser to load a site using HTTPS rather than HTTP.

Syntax:

Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload

Directives:

  • <expire-time>: This mentions the time in seconds for which the user agent or browser should only access the server in a secure fashion by using HTTP.
  • includeSubDomains: This directs the browser to apply the rule to all pages and sub-domains of the site as well.
  • preload: This is necessary for inclusion in most major web browsers’ HSTS preload lists.

Explanation: If a user type in an address bar http://www.geeksforgeeks.com/ or geeksforgeeks.com this will create a chance for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.

Examples:

Strict-Transport-Security: max-age=3600; includeSubDomains

All pages and subdomains will be HTTPS for a max-age of 1 hour. This blocks access to pages or sub domains that cannot be served over HTTPS.

Strict-Transport-Security: max-age=7200; includeSubDomains; preload

All present and future sub-domains will be HTTPS for a max-age of 2 hour. It also has preload as the suffix which is necessary in most major web browsers’ HSTS pre-load lists.

To check this Strict-Transport-Security in action go to Inspect Element -> Network check the response header for Strict-Transport-Security like below, Strict-Transport-Security is highlighted you can see.

Supported Browsers: The following browsers are compatible with HTTP Strict-Transport-Security.

  • Google Chrome 4.0
  • Internet Explorer 11.0
  • Firefox 4.0
  • Safari 7.0
  • Opera 12.0
My Personal Notes arrow_drop_up
Last Updated : 05 Nov, 2019
Like Article
Save Article
Similar Reads
1. Explain HTTP Strict Transport Security
2. Strict vs Non-strict Mode in JavaScript
3. HTTP headers | Access-Control-Expose-Headers
4. HTTP headers | Access-Control-Allow-Headers.
5. HTTP headers | Access-Control-Request-Headers
6. HTTP headers | Content-Security-Policy-Report-Only
7. HTTP headers | Content-Security-Policy
8. HTTP headers | Location
9. HTTP headers | User-Agent
10. HTTP headers | Link
Related Tutorials
1. Onsen UI
2. React Material UI
3. NuxtJS
4. D3.js
5. Spectre CSS
Next
HTTP headers | X-Frame-Options
Article Contributed By :
https://media.geeksforgeeks.org/auth/avatar.png
harshcooldude700
harshcooldude700
Vote for difficulty
Article Tags :
Report Issue
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox