Open In App

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy

HTTP headers | Strict-Transport-Security

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites from malicious activities and informs user agents and web browsers how to handle its connection through a response header. Whenever a website connects through HTTP and then redirects to HTTPS, an opportunity for a man-in-the-middle attack is created and the redirect can lead the users to a malicious website because users first have to communicate with the non-encrypted version of the website. A server implements the HSTS policy by supplying a header over an HTTPS connection which informs the browser to load a site using HTTPS rather than HTTP.

Syntax:



Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload

Directives:

Explanation: If a user type in an address bar http://www.geeksforgeeks.com/ or geeksforgeeks.com this will create a chance for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.



Examples:

Strict-Transport-Security: max-age=3600; includeSubDomains

All pages and subdomains will be HTTPS for a max-age of 1 hour. This blocks access to pages or sub domains that cannot be served over HTTPS.

Strict-Transport-Security: max-age=7200; includeSubDomains; preload

All present and future sub-domains will be HTTPS for a max-age of 2 hour. It also has preload as the suffix which is necessary in most major web browsers’ HSTS pre-load lists.

To check this Strict-Transport-Security in action go to Inspect Element -> Network check the response header for Strict-Transport-Security like below, Strict-Transport-Security is highlighted you can see.


Supported Browsers: The following browsers are compatible with HTTP Strict-Transport-Security.

Article Tags :
Web Technologies
Recommended Articles
1. Explain HTTP Strict Transport Security
2. Strict vs Non-strict Mode in JavaScript
3. HTTP headers | Access-Control-Expose-Headers
4. HTTP headers | Access-Control-Allow-Headers.
5. HTTP headers | Access-Control-Request-Headers
6. HTTP headers | Content-Security-Policy-Report-Only
7. HTTP headers | Content-Security-Policy
8. HTTP headers | Location
9. HTTP headers | User-Agent
10. HTTP headers | Link
11. HTTP headers | Save-Data
12. HTTP headers | Content-Type
13. HTTP headers | X-Forwarded-Proto
14. HTTP headers | X-XSS-Protection
15. HTTP headers | X-Frame-Options
16. HTTP headers | Last-Modified
17. HTTP headers | Date
18. HTTP headers | Cookie
19. HTTP headers | Expect
20. HTTP headers | Accept-Encoding
21. HTTP headers | Proxy-Authenticate
22. HTTP headers | Content-Range
23. HTTP headers | Content-Encoding
24. HTTP headers | Content-Language
25. HTTP headers | X-Content-Type-Options