Strict-Transport-Security Header

Table of Content

The HTTP Strict-Transport-Security (HSTS) header is a security mechanism that web servers use to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It ensures that web browsers only interact with the server over a secure HTTPS connection, not the insecure HTTP.


Strict-Transport-Security: max-age=<expire-time> 
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains 
Strict-Transport-Security: max-age=<expire-time>; preload


  • max-age=<expire-time>: This directive dictates the amount of time, in seconds, the browser should remember that this site is only accessible using HTTPS.
  • includeSubDomains: If this optional directive is specified, this rule applies to all the site's subdomains as well.
  • preload: This optional directive is used to conform to the HSTS preload list submission requirements.


The following examples indicate that the browser should remember to use HTTPS for the next year, including subdomains:

Strict-Transport-Security: max-age=31536000; includeSubDomains

For preloading, the following can be used:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Browser Compatibility

Browser Compatibility
Chrome Supported
Firefox Supported
Safari Partially Supported
Opera Supported
Edge Supported

How to modify Strict-Transport-Security header

ModHeader is a chrome extension that allows users to modify HTTP request headers. It can be used to modify the Strict-Transport-Security header. To modify, click on the ModHeader icon on the toolbar, enter 'Strict-Transport-Security' in the 'Response header' box, and enter your header value in the 'value' box.


For setting the max-age to a year and including subdomains,

  • In the 'Response header' box, enter Strict-Transport-Security.
  • In the 'value' box, enter max-age=31536000; includeSubDomains.

Then, all subsequent HTTP requests made via your browser will include this modified header. It can be especially useful for website developers testing how their site responds to different strict transport security scenarios.