Table of Content
The HTTP Strict-Transport-Security (HSTS) header is a security mechanism that web servers use to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It ensures that web browsers only interact with the server over a secure HTTPS connection, not the insecure HTTP.
Strict-Transport-Security: max-age=<expire-time> Strict-Transport-Security: max-age=<expire-time>; includeSubDomains Strict-Transport-Security: max-age=<expire-time>; preload
max-age=<expire-time>: This directive dictates the amount of time, in seconds, the browser should remember that this site is only accessible using HTTPS.
includeSubDomains: If this optional directive is specified, this rule applies to all the site's subdomains as well.
preload: This optional directive is used to conform to the HSTS preload list submission requirements.
The following examples indicate that the browser should remember to use HTTPS for the next year, including subdomains:
Strict-Transport-Security: max-age=31536000; includeSubDomains
For preloading, the following can be used:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
How to modify Strict-Transport-Security header
ModHeader is a chrome extension that allows users to modify HTTP request headers. It can be used to modify the Strict-Transport-Security header. To modify, click on the ModHeader icon on the toolbar, enter 'Strict-Transport-Security' in the 'Response header' box, and enter your header value in the 'value' box.
For setting the max-age to a year and including subdomains,
- In the 'Response header' box, enter
- In the 'value' box, enter
Then, all subsequent HTTP requests made via your browser will include this modified header. It can be especially useful for website developers testing how their site responds to different strict transport security scenarios.