Strict-Transport-Security (HSTS) Header Explained
Strict-Transport-Security (HSTS) is an HTTP response header that tells browsers to only connect to your site over HTTPS, never HTTP. Once a browser receives this header, it will automatically upgrade all future HTTP requests to HTTPS for the specified duration, preventing SSL stripping attacks and protocol downgrade attacks.
Recommended Value
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadWhat Each Directive Does
| Directive | Purpose |
|---|---|
max-age=31536000 | Browser remembers to use HTTPS for 1 year (in seconds) |
includeSubDomains | Applies HSTS to all subdomains as well |
preload | Allows submission to the HSTS preload list built into browsers |
What Happens Without This Header
Without HSTS, an attacker on the same network (coffee shop Wi-Fi, compromised router) can intercept the initial HTTP request before the redirect to HTTPS. This is called SSL stripping — the attacker downgrades the connection to plain HTTP, intercepting all traffic including login credentials and session cookies.
How to Implement
# Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Express.js
app.use((req, res, next) => {
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
next();
});Testing and Report-Only
HSTS does not have a report-only mode. Start with a short max-age (e.g., 300 seconds = 5 minutes) to test, then gradually increase to 31536000 (1 year) once confirmed working.
Related Questions
Scan your system prompt with LochBot — free, client-side, no data sent anywhere.