What is HTTP Strict Transport Security (HSTS) ?
HTTP Strict Transport Security (HSTS) is a security policy based on RFC9767 designed to protect domains against both downgrade and passive network attacks. HSTS achieves this by,
- Transforming all insecure (HTTP) based links to HTTPS links.
- Allowing the browser to terminate the connection should it observe any certificate warnings or errors with the domains certificate.
HSTS operates by a Strict-Transport-Security HTTP response header being sent to the browser from the webserver. Once the browser receives this header the HSTS policy is applied for the domain(s) and all further requests are made over HTTPS.
There are 3 components to the Strict-Transport-Security header. They are,
- max-age - The period (in seconds) the browser will apply the HSTS policy for once the initial STS header is received by the browser.
- includeSubdomains (optional) - This is a valueless option that enables the HSTS policy on all further subdomains.
- preload (optional ) - Browsers can hardset a list of domains that the HSTS policy is applied to. This header allows the webserver to confirm and authenticate its submission to the preload list.
Within the browser a list is created containing each of the domains the HSTS policy is applied against. Each entry contains an expiry time which is updated (with the max-age) each time the Strict-Transport-Security header is received.
For details of browser support please click here.