Security

Strict-Transport-Security

Instructs browsers to only access the site via HTTPS, protecting against protocol downgrade attacks and cookie hijacking.

Syntax

Strict-Transport-Security: max-age=&lt;seconds&gt;; includeSubDomains; preload

Example

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Description

The Strict-Transport-Security (HSTS) header tells browsers to only communicate with the server using HTTPS. Once received, the browser will automatically convert all HTTP requests to HTTPS for the specified duration.

The max-age directive specifies how long (in seconds) to enforce HTTPS. includeSubDomains extends this to all subdomains. preload allows inclusion in browser HSTS preload lists.

HSTS prevents man-in-the-middle attacks, SSL stripping, and cookie hijacking. Use at least 1 year (31536000 seconds) for production.

Check if your website sends this header correctly

Check your headers →

Strict-Transport-Security

Syntax

Example

Description

Related Articles

Related Headers

Start monitoring for free

Related Articles

HSTS and Preload List: Complete Implementation Guide

Complete guide to HTTP Strict Transport Security (HSTS) header and preload list. Implementation steps, risks, rollback strategy, and best practices.

Web Server Security Hardening Checklist: Nginx and Apache

Complete web server hardening checklist for nginx and Apache. File permissions, security headers, TLS configuration, access control, and monitoring.

Reverse Proxy: How It Works and Why You Need One

Understand reverse proxies — how they work, their benefits for security, performance, and scalability, and how to configure Nginx as a reverse proxy.