Strict-Transport-Security

HSTS: forces HTTPS. Browser upgrades HTTP to HTTPS and remembers for max-age. includeSubDomains, preload optional.

Response

Syntax

Strict-Transport-Security: max-age=<seconds>[; includeSubDomains][; preload]

Example values

ValueExplanation
max-age=315360001 year
max-age=31536000; includeSubDomains; preloadFull HSTS

cURL usage

curl -I https://example.com  # Check HSTS

Common mistakes

Short max-age; enabling before HTTPS works everywhere.

Related headers

X-Content-Type-OptionsX-Frame-Options

Tools

HTTP Header Viewer →