HSTS
HSTS
ELI5 — The Vibe Check
HSTS (HTTP Strict Transport Security) tells the browser 'this site is ALWAYS HTTPS, never even try HTTP.' Once a browser sees this header, it will refuse to load the site over HTTP for months or even years. It prevents attackers from downgrading your connection to unencrypted HTTP.
Real Talk
HSTS is an HTTP response header that instructs browsers to only connect to a domain via HTTPS for a specified duration (max-age). It prevents protocol downgrade attacks and cookie hijacking. The includeSubDomains directive extends it to all subdomains. HSTS preloading submits the domain to browsers' built-in lists.
Show Me The Code
// HSTS header in Express
app.use((req, res, next) => {
// max-age=31536000 = 1 year
res.setHeader(
'Strict-Transport-Security',
'max-age=31536000; includeSubDomains; preload'
);
next();
});
// Or with helmet.js:
import helmet from 'helmet';
app.use(helmet.hsts({ maxAge: 31536000, includeSubDomains: true }));
When You'll Hear This
"Enable HSTS with a one-year max-age for the production domain." / "Submitting to the HSTS preload list locks in HTTPS permanently."
Related Terms
Certificate
A certificate is a digital ID card for a website, signed by a trusted authority.
Content Security Policy (CSP)
Content Security Policy is an HTTP header that tells the browser exactly where it's allowed to load scripts, images, and other resources from.
HTTPS (HyperText Transfer Protocol Secure)
HTTPS is HTTP but with a bodyguard. All the data flying between your browser and the website is scrambled so nobody can spy on it.
SSL (SSL)
SSL (Secure Sockets Layer) is the old-school version of the lock you see in your browser address bar.
TLS (TLS)
TLS (Transport Layer Security) is the updated, actually-secure version of SSL. It's the technology that puts the padlock in your browser's address bar.