What is HTTP Strict Transport Security (HSTS)?

HTTP Strict Transport Security (HSTS) is a web security policy mechanism designed to protect HTTPS websites against downgrade attacks and cookie hijacking. A web server configured to use HSTS instructs web browsers (or other client software) to use only HTTPS connections and disallows use of the HTTP protocol.

This instruction is called the “HSTS Policy” and is sent to the client as part of the initial request for a connection using a HTTP response header field (Strict-Transport-Security). A server’s HSTS Policy includes how long the instructions should be cached by the client and if subdomains are also to use HTTPS only.

HSTS is a permanent part of the HTTPS protocol and specified in RFC 6797.

Subscribe to SSL.com’s Newsletter

Don’t miss new articles and updates from SSL.com

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.