Answer a Question
Sign In

Enforce Https Using Strict-transport-security Header

Sunday, March 15, 2020

Enforcing a secure connection to your server is critical. The Strict-Transport-Security header enforces that once a client has accessed your domain (and possibly sub-domains) using HTTPS, then until the max-age is reached, all subsequent requests will use HTTPS. This helps to avoid mistakes where our client may inadvertently make a non-secure request.

It is recommended that you set the max-age to a long lived value; a year (31536000 seconds) is suggested.

Instructions

  • Do:

    include the Strict-Transport-Security response header with a long-lived `max-age

  • Consider:

    adding the includeSubDomains flag to enforce secure connections for the domain and all sub-domains

  • Why:

    enforce secure connections using HTTPS

Do

specify the Strict-Transport-Security header

Strict-Transport-Security: max-age=31536000; includeSubDomains
Brian Love
Brian is a software engineer and Google Developer Expert in Web Technologies and Angular with a passion for learning, writing, speaking, teaching and mentoring. He regularly speaks at conferences and meetups around the country, and co-authored "Why Angular for the Enterprise" for O'Reilly. When not coding, Brian enjoys skiing, hiking, and being in the outdoors. Brian recently launched lookout.dev where you can find best practices and expert advice on topics ranging from TypeScript, Angular, React, Node.js and more.
Google Developers Expert

Whoa 🤚 You need to sign in to join the discussion.

Don't worry, if you start a comment, we'll save it for when you return. 😉