security
Strict-Transport-Security
HSTS instructs browsers to only connect over HTTPS for max-age seconds, upgrading any http:// URL and refusing to bypass TLS warnings. Once cached the policy is sticky for the whole duration.
Strict-Transport-Security: max-age=<seconds> [; includeSubDomains] [; preload] Common directives / values
| Directive | Purpose |
|---|---|
| max-age=<seconds> | How long the browser enforces HTTPS-only. Must be positive; 0 removes the policy. |
| includeSubDomains | Applies HSTS to every subdomain of the current host. |
| preload | Consent to be baked into browsers' HSTS preload list; requires max-age >= 31536000 and includeSubDomains. |
Examples
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Two-year policy covering all subdomains, eligible for the browser preload list.
Strict-Transport-Security: max-age=300 Short TTL for initial rollout — verify nothing breaks before ratcheting up.
Strict-Transport-Security: max-age=0 Emergency removal — clears any cached HSTS policy on next visit.
Strict-Transport-Security: max-age=31536000; includeSubDomains Common baseline: 1 year, all subdomains, but not preload-committed.
Gotcha
HSTS is ignored when delivered over plain HTTP — the initial visit must be HTTPS to arm the policy. 'preload' is a one-way street: removal from the preload list can take months, so never enable it until every subdomain serves valid TLS.
Related headers
Content-Security-Policy
Restricts which sources of scripts, styles, images, frames, and other resources a page may load, mitigating XSS and data injection. Policies are a semicolon-separated list of directives, each with a source list ('self', 'none', hostnames, schemes, nonces, or hashes).
X-Frame-Options
Controls whether the page may be rendered inside a <frame>, <iframe>, <embed>, or <object>, defending against clickjacking. Superseded by CSP frame-ancestors but still widely honored for legacy clients.
Referrer-Policy
Controls how much of the current URL is sent as the Referer header on outgoing requests and navigations. Tightening it limits leakage of query strings, session tokens, and internal paths to third parties.
Permissions-Policy
Allow-lists or blocks powerful browser features (camera, mic, geolocation, payment, etc.) at the document and per-iframe level. Replaces the older Feature-Policy header with a structured-fields syntax.
X-Content-Type-Options
Disables MIME-type sniffing in browsers, forcing them to trust the declared Content-Type. Blocks a class of attacks where user-uploaded files or HTML masquerading as another type would be executed as script.