-
Notifications
You must be signed in to change notification settings - Fork 1
hsts
ninabarzh edited this page Jan 24, 2022
·
1 revision
- The Web server sends the HSTS response header. It appears in the response header as:
Strict-Transport-Security: max-age=expireTime [; includeSubdomains] [; preload]
- The Web browser understands the HSTS response header. Older web browsers do not, but most now do and it is part of the web browser configuration at installation (or upgrade) making HSTS status for websites preloaded into the browsers. The preload status for a particular website can be checked at https://hstspreload.org/ website.
- The initial HTTP request to the root domain is immediately be redirected to HTTPS to the root domain, before redirecting to the "www" subdomain.
- In the HSTS response header for the first HTTPS request, the
includeSubDomainsdirective is specified, thepreloaddirective is specified, and themax-ageis at least 31536000 seconds (1 year).