Strict-Transport-Security

To protect your user's privacy and to prevent a variety of attacks, a website should serve content exclusively over an encrypted SSL connection. If a server sets the HTTP "Strict-Transport-Security" (HSTS) response header to an appropriate value, it will instruct the web browser to always use https instead of http, even if the user tries to remove it by typing a URL by hand, or by clicking on a link starting with "http".

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

The optimal value for this header is shown above. This instructs the browser to enforce HTTPS connections for 2 years and to do so for all subdomains. It also instructs browsers to preload the site's preference into the browser so the very first connection to the website will be secure. Without preloading, a user may visit the site once before seeing the header.

The max-age number indicates the number of seconds that the web browser should enforce the HSTS policy. In can be decreased, but any number lower than 2 years will make it ineligible for being preloaded into the browser. The "includeSubDomains" and "preload" options can also be removed if desired, but this will also make the website ineligible for being preloaded.

For information about how ValidBot tests a website for this header, please read about our HSTS Test and we also have a detailed article about additional security headers if you want to fully protect your users.