What is HTTP Strict Transport Security (HSTS)?

HTTP Strict Transport Security, or HSTS, is a response header that allows browser to be forced to use HTTPS for every subsequent request that it sends to a server. This means that when a user browses to http://www.networking4all.com, they will automatically be transferred to https://www.networking4all.com without the HTTP request being sent first. This also prevents hackers from forcing a downgrade attack during a Man in the Middle attack, which would force traffic over an unsafe connection instead of the encrypted HTTPS connection.

HSTS works in such a way, that not only direct traffic to the website is automatically transferred to a secure HTTPS connection: It also works for links on an external page that link to the HTTP-URL. The forced use of HTTPS also prevents the session key from being hijacked through cookies.

Setting up HSTS on a server is as simple as adding one response header to the config:

Strict-Transport-Security: max-age= 31536000;

This ensures that the server enforces the use of HSTS for one year, or 31,536,000 seconds.