HSTS - Web Security Best Practices
HTTP Strict Transport Security (HSTS) is a response header that improves security by instructing browsers to always use HTTPS instead of HTTP when visiting your site.
We recommend that HTTPS sites support HSTS. HSTS tells the browser to request HTTPS pages automatically, even if the user enters http in the browser location bar. It also tells Google to serve secure URLs in the search results. All this minimizes the risk of serving unsecured content to your users.
Use HSTS
Configure HSTS (HTTP Strict Transport Security) response headers to force browsers to always use HTTPS instead of HTTP on your site. When a browser visits your site and sees the Strict-Transport-Security
response header, it tells the browser to transform all future http://
URL requests to your site into https://
requests. The header can include these options: 1) max-age=<seconds>
says how many seconds the HSTS policy should be followed for 2) includeSubDomains
says to apply the policy to all subdomains. For example, Strict-Transport-Security: max-age=31536000; includeSubDomains
tells browsers to use HTTPS for the next year and for all subdomains. Warning: Start with a low max-age
until you’re confident you can manage the HTTPS configuration of your site. If there are problems loading pages over HTTPS later, users will be locked out of accessing your site until the problems are fixed.
Learn more
- Strict-Transport-Securitydeveloper.mozilla.org
- HTTP Strict Transport Security Cheat Sheetwww.owasp.org
- HTTP Strict Transport Securityen.wikipedia.org
- Secure your site with HTTPSsupport.google.com
Use HSTS preload
Add your site to the HSTS preload list so HSTS is active for your site in browsers by default. Your HSTS policy is only active in a browser after that browser sees a response from your site with an HSTS response header. This means new visitors will be vulnerable to exploits if they initially visit your site using an insecure HTTP URL. To eliminate this attack vector, add your site to the “HSTS preload list” so browsers will apply HSTS to your site by default even before the first visit. To add your site to the list, your Strict-Transport-Security
header for all responses on all subdomains should have a max-age
setting of at least 1 year (31,536,000 seconds) and both the includeSubDomains
and preload
options should be set. The header Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
meets these requirements. Take care to get the capitalisation right for each option such as for includeSubDomains
. Once this is done, you can submit your site to https://hstspreload.org/ for inclusion in the HSTS preload list. Warning: As with enabling HSTS, you must be confident you won’t need to disable HTTPS in the future. Removing yourself from the HSTS preload list may take some time and browsers might not keep their list up to date.
Learn more
- HSTS Preload List Submissionhstspreload.org
- HTTP Strict Transport Securitywww.chromium.org
- Preloading HSTSblog.mozilla.org
- HTTP Strict Transport Securityen.wikipedia.org
- HTTP Strict Transport Security Cheat Sheetwww.owasp.org
- HSTS Preload List Removalhstspreload.org
More articles in this series
➜ This article is from our comprehensive Web Security Best Practices guide.
➜ Next article in this series: Content sniffing
➜ Previous article in this series: HTTPS