HSTS (HTTP Strict Transport Security) is a security header that instructs web browsers to interact with a specific domain only via HTTPS. It prevents Man-in-the-Middle (MitM) attacks, such as SSL Stripping, where an attacker intercepts the initial HTTP request to prevent the upgrade to an encrypted connection.
How it works
When a server sends the Strict-Transport-Security header, the browser caches this instruction for a duration defined by the max-age directive. For subsequent requests, the browser internally redirects all http:// URLs to https:// before any data leaves the local machine, ensuring no unencrypted traffic is sent over the network.
Implementation is critical for any production environment handling sensitive data or authentication tokens. To protect the very first connection, administrators submit their domains to the HSTS Preload List, a hardcoded database in modern browsers (Chrome, Firefox, Safari) that enforces HTTPS by default even if the user has never visited the site.
A standard policy header: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload. The max-age value of 63072000 seconds enforces the policy for two years, while the preload flag indicates readiness for inclusion in browser-level hardcoded security lists.