Enforce HTTPS using Strict-Transport-Security Header
Sunday, March 15, 2020
Enforce HTTPS using Strict-Transport-Security Header
Enforcing a secure connection to your server is critical. The Strict-Transport-Security
header enforces that once a client has accessed your domain (and possibly sub-domains) using HTTPS, then until the max-age
is reached, all subsequent requests will use HTTPS. This helps to avoid mistakes where our client may inadvertently make a non-secure request.
It is recommended that you set the max-age
to a long lived value; a year (31536000 seconds) is suggested.
Instructions
include the Strict-Transport-Security
response header with a long-lived `max-age
adding the includeSubDomains
flag to enforce secure connections for the domain and all sub-domains
enforce secure connections using HTTPS
Code Examples
specify the Strict-Transport-Security
header
Strict-Transport-Security: max-age=31536000; includeSubDomains
Have a question or comment?