HTTP Strict Transport Security (HSTS) is a response header that improves security by instructing browsers to always use HTTPS instead of HTTP when visiting your site.

We recommend that HTTPS sites support HSTS. HSTS tells the browser to request HTTPS pages automatically, even if the user enters http in the browser location bar. It also tells Google to serve secure URLs in the search results. All this minimizes the risk of serving unsecured content to your users.

Google, "Secure your site with HTTPS"

Use HSTS

Configure HSTS (HTTP Strict Transport Security) response headers to force browsers to always use HTTPS instead of HTTP on your site. When a browser visits your site and sees the Strict-Transport-Security response header, it tells the browser to transform all future http:// URL requests to your site into https:// requests. The header can include these options: 1) max-age=<seconds> says how many seconds the HSTS policy should be followed for 2) includeSubDomains says to apply the policy to all subdomains. For example, Strict-Transport-Security: max-age=31536000; includeSubDomains tells browsers to use HTTPS for the next year and for all subdomains. Warning: Start with a low max-age until you’re confident you can manage the HTTPS configuration of your site. If there are problems loading pages over HTTPS later, users will be locked out of accessing your site until the problems are fixed.

Use HSTS preload

Add your site to the HSTS preload list so HSTS is active for your site in browsers by default. Your HSTS policy is only active in a browser after that browser sees a response from your site with an HSTS response header. This means new visitors will be vulnerable to exploits if they initially visit your site using an insecure HTTP URL. To eliminate this attack vector, add your site to the “HSTS preload list” so browsers will apply HSTS to your site by default even before the first visit. To add your site to the list, your Strict-Transport-Security header for all responses on all subdomains should have a max-age setting of at least 1 year (31,536,000 seconds) and both the includeSubDomains and preload options should be set. The header Strict-Transport-Security: max-age=31536000; includeSubDomains; preload meets these requirements. Take care to get the capitalisation right for each option such as for includeSubDomains. Once this is done, you can submit your site to https://hstspreload.org/ for inclusion in the HSTS preload list. Warning: As with enabling HSTS, you must be confident you won’t need to disable HTTPS in the future. Removing yourself from the HSTS preload list may take some time and browsers might not keep their list up to date.

More articles in this series

➜  This article is from our comprehensive Web Security Best Practices guide.

➜  Next article in this series: Content sniffing

➜  Previous article in this series: HTTPS