Strict-Transport-Security
HSTS tells the browser to only ever connect to your site over HTTPS for the next max-age seconds — even if a user types http:// or follows a plain-HTTP link. This shuts down SSL-stripping man-in-the-middle attacks. Send it only over HTTPS. Use includeSubDomains once every subdomain serves HTTPS, and preload only when you're ready to be hard-coded into browsers' preload lists (removal is slow). MDN
Example
Strict-Transport-Security: max-age=63072000; includeSubDomains; preloadOptions
| Option | Type | Default | Notes |
|---|---|---|---|
maxAge | number | 63072000 | 2 years (63072000) is the preload-list requirement. At least 1 year (31536000) for a good grade. |
includeSubDomains | toggle | true | Apply to every subdomain. Only enable once they all serve HTTPS. |
preload | toggle | true | Eligible for hstspreload.org. Hard to undo — enable deliberately. |
Scoring
Contributes up to 25 points to your grade .