HSTS

HSTS: HTTP Strict Transport Security

HSTS forces browsers to use HTTPS, preventing downgrade attacks.

HSTS forces HTTPS.

## Header
Strict-Transport-Security: max-age=31536000; includeSubDomains

## Nginx
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains' always;

## Important
- Only enable after HTTPS works
- Start with short max-age for testing
- Add preload only after testing

Was this article helpful?