Enforce HTTPS using Strict-Transport-Security Header
Sunday, March 15, 2020
Enforce HTTPS using Strict-Transport-Security Header
Enforcing a secure connection to your server is critical. The Strict-Transport-Security header enforces that once a client has accessed your domain (and possibly sub-domains) using HTTPS, then until the max-age is reached, all subsequent requests will use HTTPS. This helps to avoid mistakes where our client may inadvertently make a non-secure request.
It is recommended that you set the max-age to a long lived value; a year (31536000 seconds) is suggested.
Instructions
include the Strict-Transport-Security response header with a long-lived `max-age
adding the includeSubDomains flag to enforce secure connections for the domain and all sub-domains
enforce secure connections using HTTPS
Code Examples
specify the Strict-Transport-Security header
Strict-Transport-Security: max-age=31536000; includeSubDomainsI am a software engineer and Google Developer Expert in Web Technologies and Angular with a passion for learning, writing, speaking, teaching and mentoring. I regularly speaks at conferences and meetups around the country, and co-authored "Why Angular for the Enterprise" for O'Reilly. When not coding, I enjoy skiing, hiking, and being in the outdoors. I started lookout.dev to break down the barriers of learning in public. Learning in public fosters growth - for ourselves and others.
Have a question or comment?