HTTP - Strict Transport Security (HSTS) - mandatory HTTPS

About

Strict Transport Security (HSTS) 1) is a header that tells the client that the website should always be contacted with HTTPS

Effect

When HSTS is on, if it's not possible to make a https connection (for instance if the certificate is not valid), the user will not be able to navigate the website and will get this message.

Hsts Chrome Message

Management

Set

Recommended value: 

Strict-Transport-Security: max-age=31536000; includeSubDomains

Example in Apache The Apache htaccess file with Apache - HTTP Header (mod_header module) 

Header set Strict-Transport-Security "max-age=63072000; includeSubDomains"

Hardcoded in chrome (preload)

To submit domains for hard coded inclusion in Chrome's HTTP Strict Transport Security (HSTS) preload list:

  • Add the preload tag to the value
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Delete

In chrome 

chrome://net-internals/#hsts
  • then delete

Hsts Delete Chrome 2)

1)
RFC 6797 HTTP Strict Transport Security (HSTS)
2)
Strict-Transport-Security




Discover More
HTML - Security (Secure applications)

This article is security when writing an application that shows HTML pages. HTMLHTTP security page HTML is a programming language that can download and run script. Therefore, you should be extremely...
Valid Https
HTTP - HTTPS scheme (HTTP-over-TLS)

The https scheme represents HTTP-over-TLS HTTP is a application protocol (OSI level 7) that is build on TCP as transport layer (OSI level 3) HTTPS is essentially HTTP after the connection has been secured...
What are the elements of security in HTTP? Security headers and cookie properties explained

In HTTP, the security is done via the setting of: response header known as security header that drives the execution of the browser page load cookies properties mostly samesite that control if the...



Share this page:
Follow us:
Task Runner