🔐 Cybersecurity / Web Security Beginner

What is HTTPS Strict Transport Security (HSTS)?

Answer

HSTS (HTTP Strict Transport Security) is a web security policy mechanism that forces browsers to only communicate with a website over HTTPS — preventing HTTP connections and SSL stripping attacks. Set via HTTP response header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. max-age: how long (in seconds) the browser should enforce HTTPS. includeSubDomains: applies to all subdomains. preload: submit the domain to browser preload lists (Chrome, Firefox hardcode HSTS domains). How it prevents attacks: an attacker performing SSL stripping (redirecting HTTPS to HTTP) is defeated because the browser refuses to make HTTP connections. Once a browser sees the HSTS header, it will not make insecure connections to that domain for the max-age duration, even if the user types http://.

Previous

What is an IDS vs IPS?

Next

What is Content Security Policy (CSP)?

More Cybersecurity / Web Security Questions

View all →
All Cybersecurity / Web Security Questions Browse All Topics