IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. HTTP Security Headers
  3. Strict-Transport-Security

HTTP security header

Strict-Transport-Security

HTTP Strict Transport Security (HSTS) instructs browsers to only connect to a site over HTTPS for a specified duration, preventing SSL-stripping and downgrade attacks and blocking users from clicking through certificate warnings. Once set with a long max-age (and ideally preloaded), it closes a window attackers use to intercept early requests.

Example

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Configuration guidance

  • Use a long max-age (at least one year) once HTTPS is stable.
  • Add includeSubDomains only when every subdomain supports HTTPS.
  • Consider preload for inclusion in browser HSTS lists.

Related headers

Content-Security-Policy
MDN: HSTS

Impactr checks security-header configuration as part of testing your web apps and APIs the way an attacker would - and proves what a missing header actually exposes.

Test my app
← All security headers
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub