Skip to content

HSTS Header

HSTS stands for HTTP Strict Transport Security. If a webserver sends browser this header, the browser will require an HTTPS connection for the domain (or a subdomain). HSTS header looks like this:

Strict-Transport-Security "max-age=3153600; includeSubdomains; preload"
  • max-age determines how long the header should be valid. The timestamp is refreshed upon each page reload. The value should be very high - the recommended minimum is 180 days. The example sets it to 1 year.
  • includeSubdomains tells browser, that it should require HTTPS on all subdomains as well. This might cause problem, if you run an HTTP-only internal website on one of the subdomains. If you decide to enable this, you should first test it with very short max-age. Or there will be no going back.
  • preload indicates, that you want your domain present on the list of HTTPS-only websites shipped with browsers. You can find more details here.

If you are adding the header yourselves, be aware that you should not send it over HTTP protocol. If you are setting the header inside your application, you need to check this. Alternatively, if you adding the header via .htaccess, use env=HTTPS parameter:

Header set Strict-Transport-Security "max-age=3153600; includeSubdomains; preload" env=HTTPS