The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.

UNDERSTANDING HSTS

• The HSTS response header looks like the below query.

HEADER : StrictTransport-Security: max-age=31536000; includeSubdomanins; preload

• HSTS declares that a client should only interact with a site over HTTPS.
• It helps us to protect against “ downgrade attacks “ , that is an attack which makes HTTPS to downgrade to HTTP connection and then steals the data as it will become unencrypted while on HTTP connection.
• HSTS relies on “ Trust On First Use ( TOFU ) “

MAX-AGE KEYWORD

• It declares the period for which insecure requests cannot be made.
• The units are in seconds - 31536000 seconds is approximately 1 year.
• The duration is reset on every receipt of the response header.

We can use chrome internal tool to check whether the site is using HSTS or not as shown below.

URL : chrome://net-internals/#hsts

INCLUDE SUBDOMAINS KEYWORD

• The scope of HSTS can be extended to all subdomains.