HSTS (HTTP Strict Transport Security)
A security mechanism that forces browsers to always use the secure HTTPS version of a website, protecting against downgrade attacks.
What is HSTS (HTTP Strict Transport Security)?
HTST (HTTP Strict Transport Security) is a security mechanism that forces browsers to always use the secure HTTPS version of a website, even if users accidentally type “http://” or click old non-secure links. Once a browser visits an HTTPS site with HSTS enabled, it remembers to always use the secure connection for future visits, protecting against hackers who might try to intercept unencrypted traffic.
How HSTS Works
HSTS operates through HTTP headers that instruct browsers on security behavior:
- Security Header: Server sends Strict-Transport-Security header with HTTPS responses
- Browser Memory: Browser stores the HSTS policy for the specified duration
- Automatic Redirects: Browser automatically converts HTTP requests to HTTPS
- Subdomain Protection: Can include all subdomains in the security policy
- Preload Lists: Major sites can be included in browser preload lists
Security Benefits and Implementation
HSTS prevents SSL stripping attacks where attackers downgrade connections from HTTPS to HTTP to intercept data. It also protects against mixed content vulnerabilities and ensures consistent security posture across all user interactions. Organizations should implement HSTS with appropriate max-age values and consider subdomain inclusion. Major websites can submit to HSTS preload lists maintained by browser vendors for enhanced protection from the first visit.
Where You'll See This Term
This term commonly appears in:
- SSL certificate details pages
- Certificate Authority validation processes
- SSL configuration documentation
- Security audit reports
- Certificate management interfaces