HTTP Strict Transport Security

In this lesson, we'll learn how to force secure communications with the use of the HTTP Strict Transport Security header to improve end-to-end communication for users and websites.

HTTP Strict Transport Security, also known as HSTS, is a protocol standard which enforces secure connections to the server via HTTP over SSL/TLS. HSTS is configured and transmitted from the server to any HTTP web client using the HTTP header Strict-Transport-Security. This specifies a time interval during which the browser should only communicate over an HTTP secured connection (HTTPS).

Tip

When a Strict-Transport-Security header is sent over an insecure HTTP connection, the web browser ignores it because the connection is insecure.

After the header has been set, the browser consults a preload service, like Google’s, to determine whether the website has opted in for HSTS.

Get hands-on with 1400+ tech skills courses.