HTTP security header
Strict-Transport-Security
HTTP Strict Transport Security (HSTS) instructs browsers to only connect to a site over HTTPS for a specified duration, preventing SSL-stripping and downgrade attacks and blocking users from clicking through certificate warnings. Once set with a long max-age (and ideally preloaded), it closes a window attackers use to intercept early requests.
Example
Strict-Transport-Security: max-age=63072000; includeSubDomains; preloadConfiguration guidance
- Use a long max-age (at least one year) once HTTPS is stable.
- Add includeSubDomains only when every subdomain supports HTTPS.
- Consider preload for inclusion in browser HSTS lists.
Related headers
Impactr checks security-header configuration as part of testing your web apps and APIs the way an attacker would - and proves what a missing header actually exposes.
Test my app