Understanding HSTS (HTTP Strict Transport Security)
HSTS stands for HTTP Strict Transport Security. It is a vital web security mechanism that helps protect websites from severe attacks, primarily man-in-the-middle (MITM) attacks and SSL stripping.
What It Does
HSTS tells browsers to only communicate with a website over a secure HTTPS connection, never over HTTP.
Once a browser has visited a site that implements HSTS, it will remember to use HTTPS for all future requests to that site
for a specified period, even if the user manually types http://.
How It Is Set Up
When a website supports HSTS, it sends a special HTTP header in its response called Strict-Transport-Security.
This header accepts several parameters:
-
max-age
Specifies how long (in seconds) the browser should enforce HTTPS. For example,
31536000equals 1 year. - includeSubDomains If included, it tells the browser to apply the rule to all subdomains of the site.
- preload Allows the site to be included in the browser's hardcoded HSTS preload list, protecting users even on their very first visit.
🛡️ Sample PHP Headers
You can implement HSTS and other vital security headers directly in your PHP files. Copy the script below and place it at the very top of your `header.php` or `index.php`.
header("Strict-Transport-Security: max-age=63072000; includeSubDomains; preload");
header("X-XSS-Protection: 1; mode=block");
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
header("Referrer-Policy: no-referrer-when-downgrade");
header("Content-Security-Policy: upgrade-insecure-requests");Summary
- HSTS is a security feature ensuring websites are only accessible via HTTPS.
- It helps prevent attacks that try to downgrade secure connections (SSL Stripping).
- It is activated by a special HTTP header and can apply to subdomains and be preloaded into browsers.