← Lessons

quiz vs the machine

Gold1380

Networking

HTTP Strict Transport Security

How a site forces browsers to use HTTPS and resist downgrade attacks.

4 min read · core · beat Gold to climb

The downgrade threat

A user who types a bare domain often makes a first request over plain HTTP. An attacker on the path can intercept that request and keep the victim on an unencrypted or spoofed connection, a downgrade attack. HTTP Strict Transport Security, or HSTS, tells the browser to refuse HTTP for a site entirely.

How the policy works

The server sends a Strict-Transport-Security response header over HTTPS.

  • max-age sets how long, in seconds, the browser remembers to use only HTTPS.
  • includeSubDomains extends the rule to every subdomain.
  • preload signals willingness to be baked into browsers' built in HSTS lists.

There is a bootstrap gap, because the very first visit before any header is seen can still be intercepted. The preload list closes this by shipping the policy inside the browser, so even the first request goes over HTTPS. A practical caution is that a long max-age with includeSubDomains is hard to undo, since browsers honor it until it expires.

Key idea

HSTS makes a browser remember to use only HTTPS for a site, and preloading closes the first visit gap by baking the rule into the browser.

Check yourself

Answer to earn rating on the learn ladder.

1. What attack does HSTS primarily defend against?

2. Why does the preload list exist?