HTTP Strict Transport Security (HSTS)

Indicators

• Security

Impact

(How ScanGov measures tasklist priorities.)

About

HTTP Strict Transport Security is a security feature that:

• Forces web browsers to use HTTPS instead of HTTP.
• Protects against downgrade attacks and cookie hijacking.
• Specifies a period during which the browser should enforce HTTPS for the site.

Key points:

• Activated by the server through a response header (Strict-Transport-Security).
• Helps improve website security by ensuring encrypted connections.

Why it's important

Forces secure connections, protecting user data by making websites always load with encryption.

User stories

As a site visitor, I want the website to automatically redirect to HTTPS and prevent any connection via HTTP so that my data is always encrypted and secure during transmission.

Code

Example header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Error

(ScanGov messaging when a site fails a standard)

Site doesn't force secure connection; easier for hackers to intercept.

Guidance

• 21st Century Integrated Digital Experience Act
• CISA Website Security
• CISA Cybersecurity Performance Goals
• Memorandum (M-23-22)

Links

• HTTP Strict Transport Security (CIO.gov)
• HTTP Strict Transport Security (Mozilla)
• Security-related HTTP headers (Cloud.gov)
• HTTP Strict Transport Security Cheat Sheet (OWASP)
• HTTP Strict Transport Security (Wikipedia)

Related

• Content security policy (CSP)
• HTTP Strict Transport Security (HSTS)
• security.txt
• X-Content-Type-Options
• Errors in the console
• Clickjacking mitigation
• Paste preventing inputs