HTTP Strict Transport Security (HSTS) (Security)

Site upgrades to a secure connection.

• Rescan
• Share
  • This page
  • LinkedIn
  • Bluesky
  • Mastodon
  • X
  • Email

Impact

(ScanGov impact)

About

HTTP Strict Transport Security is a security feature that:

• Forces web browsers to use HTTPS instead of HTTP.
• Protects against downgrade attacks and cookie hijacking.
• Specifies a period during which the browser should enforce HTTPS for the site.

Key points:

• Activated by the server through a response header (Strict-Transport-Security).
• Helps improve website security by ensuring encrypted connections.

Why it's important

Forces secure connections, protecting user data by making websites always load with encryption.

User stories

As a site visitor, I want the website to automatically redirect to HTTPS and prevent any connection via HTTP so that my data is always encrypted and secure during transmission.

Code

Example header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Error

(ScanGov messaging when a site fails a standard)

Site doesn't force secure connection; easier for hackers to intercept.

Guidance

• 21st Century Integrated Digital Experience Act (IDEA)
• CISA Website Security
• CISA Cybersecurity Performance Goals
• Memorandum (M-23-22)

Links

• HTTP Strict Transport Security (CIO.gov)
• HTTP Strict Transport Security (Mozilla)
• Security-related HTTP headers (Cloud.gov)
• HTTP Strict Transport Security Cheat Sheet (OWASP)
• HTTP Strict Transport Security (Wikipedia)

Indicators

• Security