security

Strict-Transport-Security

HSTS instructs browsers to only connect over HTTPS for max-age seconds, upgrading any http:// URL and refusing to bypass TLS warnings. Once cached the policy is sticky for the whole duration.

Strict-Transport-Security: max-age=<seconds> [; includeSubDomains] [; preload]

Common directives / values

Directive Purpose
max-age=<seconds> How long the browser enforces HTTPS-only. Must be positive; 0 removes the policy.
includeSubDomains Applies HSTS to every subdomain of the current host.
preload Consent to be baked into browsers' HSTS preload list; requires max-age >= 31536000 and includeSubDomains.

Examples

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Two-year policy covering all subdomains, eligible for the browser preload list.

Strict-Transport-Security: max-age=300

Short TTL for initial rollout — verify nothing breaks before ratcheting up.

Strict-Transport-Security: max-age=0

Emergency removal — clears any cached HSTS policy on next visit.

Strict-Transport-Security: max-age=31536000; includeSubDomains

Common baseline: 1 year, all subdomains, but not preload-committed.

Gotcha

HSTS is ignored when delivered over plain HTTP — the initial visit must be HTTPS to arm the policy. 'preload' is a one-way street: removal from the preload list can take months, so never enable it until every subdomain serves valid TLS.

Related headers

← All HTTP headers · HTTP status codes · Fix CORS errors