What is HSTS
Directives – a list of all HSTS directives.
This is the time, in seconds, that the browser should cache and apply the given HSTS policy for.
This flag indicates that the browser should also apply this policy to all subdomains below the current domain.
This flag indicates that the site wishes to be included in the HSTS Preload list.
Here are a few example policies ranging in purpose and strength
To start out, sites should issue a very relaxed HSTS policy for testing purposes. It is also possible to issue a policy on certain endpoints only advertised to staff or beta testers for example. That way only they will pick up the policy.
This policy will only apply for 10 minutes so if it does have undesired side effects they will not last long until the policy expires.
Once you are sure that you can meet the requirements of HSTS you can introduce the includeSubDomains directive should you wish.
Strict-Transport-Security: max-age=600; includeSubDomains
Again, the low max-age means you can stop issuing the policy and it will expire quickly for those that have received it. After this, the next step is to start increasing the max-age value.
You should aim for a max-age value of 1 year after making many, small incremental increases to test your ability to support HSTS.
Strict-Transport-Security: max-age=31536000; includeSubDomains
The final step for an HSTS policy is to include the preload directive for inclusion in the HSTS Preload list.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Warning: You should ensure that you fully understand the implications of HSTS preloading before you include the directive in your policy and before you submit. It means that your entire domain and all subdomains, including those managed or maintained by third parties, will only work with HTTPS. Preloading should be viewed as a one-way ticket. Whilst it is possible to be removed, it can take a long time and you may not be removed from all browsers.
What is HSTS preloading
HSTS Preloading is a mechanism whereby a list of hosts that wish to enforce the use of SSL/TLS on their site is built into a browser. This list is compiled by Google and is utilised by Chrome, Firefox and Safari. These sites do not depend on the issuing of the HSTS response header to enforce the policy, instead the browser is already aware that the host requires the use of SSL/TLS before any connection or communication even takes place. This removes the opportunity an attacker has to intercept and tamper with redirects that take place over HTTP. This isn’t to say that the host needs to stop issuing the HSTS response header, this must be left in place for those browsers that don’t use preloaded HSTS lists.
To implement HSTS using .htaccess
header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
The env=HTTPS is meant to make the rule only activates when it’s https.