New Best Practice
Sign In

Enforce HTTPS using Strict-Transport-Security Header

Sunday, March 15, 2020

Enforcing a secure connection to your server is critical. The Strict-Transport-Security header enforces that once a client has accessed your domain (and possibly sub-domains) using HTTPS, then until the max-age is reached, all subsequent requests will use HTTPS. This helps to avoid mistakes where our client may inadvertently make a non-secure request.

It is recommended that you set the max-age to a long lived value; a year (31536000 seconds) is suggested.

Code Examples

Strict-Transport-Security: max-age=31536000; includeSubDomains

do: specify the Strict-Transport-Security header


  • Do:

    include the Strict-Transport-Security response header with a long-lived `max-age

  • Consider:

    adding the includeSubDomains flag to enforce secure connections for the domain and all sub-domains

  • Why:

    enforce secure connections using HTTPS

Brian Love

Brian is a software engineer and Google Developer Expert in Web Technologies and Angular with a passion for learning, writing, speaking, teaching and mentoring. He regularly speaks at conferences and meetups around the country, and co-authored "Why Angular for the Enterprise" for O'Reilly. When not coding, Brian enjoys skiing, hiking, and being in the outdoors. Brian recently launched where you can find best practices and expert advice on topics ranging from TypeScript, Angular, React, Node.js and more.

Google Developers Expert

Discussions are healthy ❤️