HTTP Strict-Transport-Security (HSTS)

The Strict-Transport-Security header tells browser to only access the site using HTTPS.

This header is only obeyed by browsers if it's sent on HTTPS (because HTTP web pages may be compromised by man-in-the-middle attacks). Once obeyed, future attempts to load the site using HTTP will automatically use HTTPS instead.

Response headers

Strict-Transport-Security

If sent on HTTPS: remember to only access the site using HTTPS.

• max-age=<expire-time> — time in seconds to remember, e.g. max-age=31536000
• includeSubDomains — also apply to this site's subdomains as well
• preload — if applicable, list this site in Google's HSTS preload service (not part of the specification)

Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload

References

• Strict-Transport-Security (MDN) — https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security