Strict-Transport-Security Header
Table of Content
The HTTP Strict-Transport-Security (HSTS) header is a security mechanism that web servers use to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It ensures that web browsers only interact with the server over a secure HTTPS connection, not the insecure HTTP.
Syntax
Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preloadDirectives
max-age=<expire-time>: This directive dictates the amount of time, in seconds, the browser should remember that this site is only accessible using HTTPS.includeSubDomains: If this optional directive is specified, this rule applies to all the site's subdomains as well.preload: This optional directive is used to conform to the HSTS preload list submission requirements.
Examples
The following examples indicate that the browser should remember to use HTTPS for the next year, including subdomains:
Strict-Transport-Security: max-age=31536000; includeSubDomainsFor preloading, the following can be used:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadBrowser Compatibility
| Browser | Compatibility |
|---|---|
| Chrome | Supported |
| Firefox | Supported |
| Safari | Partially Supported |
| Opera | Supported |
| Edge | Supported |
How to modify Strict-Transport-Security header
ModHeader is a chrome extension that allows users to modify HTTP request headers. It can be used to modify the Strict-Transport-Security header. To modify, click on the ModHeader icon on the toolbar, enter 'Strict-Transport-Security' in the 'Response header' box, and enter your header value in the 'value' box.
Example:
For setting the max-age to a year and including subdomains,
- In the 'Response header' box, enter
Strict-Transport-Security. - In the 'value' box, enter
max-age=31536000; includeSubDomains.
Then, all subsequent HTTP requests made via your browser will include this modified header. It can be especially useful for website developers testing how their site responds to different strict transport security scenarios.