Share Knowledge

Enforce HTTPS using Strict-Transport-Security Header

Sunday, March 15, 2020

Enforcing a secure connection to your server is critical. The Strict-Transport-Security header enforces that once a client has accessed your domain (and possibly sub-domains) using HTTPS, then until the max-age is reached, all subsequent requests will use HTTPS. This helps to avoid mistakes where our client may inadvertently make a non-secure request.

It is recommended that you set the max-age to a long lived value; a year (31536000 seconds) is suggested.



include the Strict-Transport-Security response header with a long-lived `max-age


adding the includeSubDomains flag to enforce secure connections for the domain and all sub-domains


enforce secure connections using HTTPS

Code Examples

specify the Strict-Transport-Security header

Strict-Transport-Security: max-age=31536000; includeSubDomains
Brian Love

I am a software engineer and Google Developer Expert in Web Technologies and Angular with a passion for learning, writing, speaking, teaching and mentoring. I regularly speaks at conferences and meetups around the country, and co-authored "Why Angular for the Enterprise" for O'Reilly. When not coding, I enjoy skiing, hiking, and being in the outdoors. I started lookout.dev to break down the barriers of learning in public. Learning in public fosters growth - for ourselves and others.

Google Developers Expert

Have a question or comment?