HSTS lets a web site inform the browser that it should never load the site using HTTP, and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.
HSTS protects your users from man-in-the-middle and ssl-strip attacks on your website.
Example of the HTTP strict transport security header
If all sub-domains are HTTPS too then the following header is applicable:
Strict-Transport-Security: max-age=expiretime; includeSubDomains
Time in seconds, that the browser should remember that this site is only to be accessed using HTTPS.
Optional parameter, rule applies to all of the site’s subdomains as well.
How it works
The first time your site is accessed using HTTPS and it returns the Strict-Transport-Security header, the browser records this information, so that future attempts to load the site using HTTP will automatically use HTTPS instead.
Once the expiration time is passed, the next attempt to load the site via HTTP will be completed without automatically using HTTPS as before.
Once the header is received by the browser, it will update the expiration time for that site, allows each site to refresh this information and prevent the timeout from expiring.
Log into a free WiFi access point at an airport, visiting your
online banking service to check your balance and pay a
couple of bills.
Your private data is exposed to the hacker.
The access point you’re using is actually a hacker’s laptop, and they’re
intercepting your original HTTP request and redirecting you to a clone of
your bank’s site instead of the real thing.
The HSTS header helps resolve this problem;
- Web site informs the browser that it cannot be loaded with anything other than HTTPS , so your browser will know to automatically use only HTTPS.
Site with no HSTS Header implemented.