🎉 Requestly joins BrowserStack to build the future of application testing. Read more

HTTP Headers

Strict Transport Security

HTTP Header

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) indicates to browsers that a website should only be accessed via HTTPS. It ensures that any future attempts to connect using HTTP are automatically redirected to HTTPS, enhancing security by reducing the risk of protocol downgrade attacks.

This header is a response header and does not act as a forbidden request header. It instructs compliant browsers to enforce secure connections with the server.

Syntax

HTTP Strict Transport Security (HSTS) headers are used to inform browsers that they should interact with the website only over secure connections (HTTPS). Here are the typical formats:

Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time> includeSubDomains
Strict-Transport-Security: max-age=<expire-time> includeSubDomains; preload

Directives

max-age=<expire-time>
The duration, in seconds, that the browser should remember that a site is restricted to HTTPS access only.
includeSubDomains Optional
If specified, this rule applies to all subdomains of the site as well, extending the security policy.
preload Optional
Refer to Preloading Strict Transport Security for detailed information. When including preload, ensure that the max-age directive is at least 31536000 (equivalent to 1 year), and the includeSubDomains directive is present. Note that preload is not officially part of the standard specifications.

Example

If a website accepts a connection through HTTP and redirects to HTTPS, visitors may initially communicate with the non-encrypted version of the site before being redirected. This can happen, for example, if a visitor types http://www.foo.com/ or just foo.com.
This creates an opportunity for a man-in-the-middle attack.
The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.

The Strict-Transport-Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

Imagine you log into a free Wi-Fi network at an airport and begin browsing the web, checking your online banking balance and paying bills.
Unfortunately, if the network is operated by a hacker, they could intercept your original HTTP request and redirect you to a clone of your bank’s site rather than the real one, exposing your sensitive data.

Strict Transport Security addresses this issue; once you’ve accessed your bank’s website using HTTPS and if the website utilizes Strict Transport Security, your browser will remember to connect only via HTTPS in the future. This prevents hackers from performing man-in-the-middle attacks.

The first time you access a site via HTTPS and the server returns the Strict-Transport-Security header, your browser records this information. Future attempts to load the site over HTTP will automatically switch to HTTPS.

After the duration specified by the max-age in the header expires, the browser will revert to normal behavior and attempt to load the site over HTTP unless the header is refreshed. When the header is sent again, it updates the expiration time, ensuring continued protection.

If needed, you can disable Strict Transport Security immediately by setting the max-age to 0 over an HTTPS connection, which expires the policy and allows HTTP access.

Google offers an HSTS preload service. By following the submission guidelines and submitting your domain, browsers will connect to your site only through secure connections. Though maintained by Google, the preload list is used by all major browsers. Keep in mind this is not officially part of the HSTS specification.

  • Find out more about the HSTS preload list in Chrome: https://www.chromium.org/hsts/
  • Consult the Firefox HSTS preload list: nsSTSPreloadList.inc

Examples

Using Strict-Transport-Security

All current and future subdomains will be HTTPS for a max-age of one year. This prevents access to pages or subdomains that require HTTP.

Example header:

Strict-Transport-Security: max-age=31536000; includeSubDomains

While a one-year max-age is acceptable, two years is recommended on https://hstspreload.org.

In this example, max-age is set to two years (63072000 seconds), and includes preload which is required for web browsers to add your site to their preload list, ensuring your entire site is served only over HTTPS:

Example header:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

How to Modify Header using Requestly

Requestly is a useful Chrome extension that lets you modify HTTP headers, including the Strict Transport Security header. This helps you test how your website behaves with different security policies during development or troubleshooting. Steps to Modify the Strict Transport Security Header:

  1. Install and open the Requestly Chrome extension. You can find it on the Chrome Web Store.
  2. Create a new rule: Click on “Create Rule” and choose “Modify Headers” from the list of available rule types.
  3. Add a new header modification:
    • Under “Action”, select “Add” or “Override”.
    • In the “Header Name” field, enter Strict-Transport-Security.
    • In the “Header Value” field, enter your desired security policy (e.g., max-age=31536000; includeSubDomains).
  4. Set the URL condition: Specify the URL or pattern where this header change should apply (e.g., https://your-website.com/*).
  5. Save the rule.

After setup, Requestly will add or override the Strict Transport Security header in all matching requests, allowing you to test how your site enforces secure connections and security policies.

You might need to modify this header to check how your website behaves with different security settings or to simulate environments where strict HTTPS enforcement is applied or removed. This helps ensure your site handles security policies correctly before deploying them live.