HTTP Strict Transport Security

In this lesson, we'll learn how to force secure communications with the use of the HTTP Strict Transport Security header to improve end-to-end communication for users and websites.

We'll cover the following

The risk
The solution
Helmet implementation
Exercise

Source code

Running the project

Exercise 1

Debugging HSTS settings in Chrome

Reviewing Chrome’s HSTS settings
Clear cache

HTTP Strict Transport Security, also known as HSTS, is a protocol standard which enforces secure connections to the server via HTTP over SSL/TLS. HSTS is configured and transmitted from the server to any HTTP web client using the HTTP header Strict-Transport-Security. This specifies a time interval during which the browser should only communicate over an HTTP secured connection (HTTPS).

Tip

When a Strict-Transport-Security header is sent over an insecure HTTP connection, the web browser ignores it because the connection is insecure.

After the header has been set, the browser consults a preload service, like Google’s, to determine whether the website has opted in for HSTS.

Get hands-on with 1200+ tech skills courses.

Introduction

HTTP Security Headers

Testing for Security Headers

What's Next?

HTTP Strict Transport Security