[{"data":1,"prerenderedAt":323},["ShallowReactive",2],{"term-h\u002Fhsts":3,"related-h\u002Fhsts":303},{"id":4,"title":5,"acronym":5,"body":6,"category":283,"description":284,"difficulty":285,"extension":286,"letter":287,"meta":288,"navigation":184,"path":289,"related":290,"seo":296,"sitemap":297,"stem":300,"subcategory":301,"__hash__":302},"terms\u002Fterms\u002Fh\u002Fhsts.md","HSTS",{"type":7,"value":8,"toc":277},"minimark",[9,14,18,22,34,38,266,270,273],[10,11,13],"h2",{"id":12},"eli5-the-vibe-check","ELI5 — The Vibe Check",[15,16,17],"p",{},"HSTS (HTTP Strict Transport Security) tells the browser 'this site is ALWAYS HTTPS, never even try HTTP.' Once a browser sees this header, it will refuse to load the site over HTTP for months or even years. It prevents attackers from downgrading your connection to unencrypted HTTP.",[10,19,21],{"id":20},"real-talk","Real Talk",[15,23,24,25,29,30,33],{},"HSTS is an HTTP response header that instructs browsers to only connect to a domain via HTTPS for a specified duration (",[26,27,28],"code",{},"max-age","). It prevents protocol downgrade attacks and cookie hijacking. The ",[26,31,32],{},"includeSubDomains"," directive extends it to all subdomains. HSTS preloading submits the domain to browsers' built-in lists.",[10,35,37],{"id":36},"show-me-the-code","Show Me The Code",[39,40,45],"pre",{"className":41,"code":42,"language":43,"meta":44,"style":44},"language-javascript shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","\u002F\u002F HSTS header in Express\napp.use((req, res, next) => {\n  \u002F\u002F max-age=31536000 = 1 year\n  res.setHeader(\n    'Strict-Transport-Security',\n    'max-age=31536000; includeSubDomains; preload'\n  );\n  next();\n});\n\n\u002F\u002F Or with helmet.js:\nimport helmet from 'helmet';\napp.use(helmet.hsts({ maxAge: 31536000, includeSubDomains: true }));\n","javascript","",[26,46,47,56,101,107,122,138,149,158,169,179,186,192,215],{"__ignoreMap":44},[48,49,52],"span",{"class":50,"line":51},"line",1,[48,53,55],{"class":54},"sHwdD","\u002F\u002F HSTS header in Express\n",[48,57,59,63,67,71,74,76,80,83,86,88,91,94,98],{"class":50,"line":58},2,[48,60,62],{"class":61},"sTEyZ","app",[48,64,66],{"class":65},"sMK4o",".",[48,68,70],{"class":69},"s2Zo4","use",[48,72,73],{"class":61},"(",[48,75,73],{"class":65},[48,77,79],{"class":78},"sHdIc","req",[48,81,82],{"class":65},",",[48,84,85],{"class":78}," res",[48,87,82],{"class":65},[48,89,90],{"class":78}," next",[48,92,93],{"class":65},")",[48,95,97],{"class":96},"spNyl"," =>",[48,99,100],{"class":65}," {\n",[48,102,104],{"class":50,"line":103},3,[48,105,106],{"class":54},"  \u002F\u002F max-age=31536000 = 1 year\n",[48,108,110,113,115,118],{"class":50,"line":109},4,[48,111,112],{"class":61},"  res",[48,114,66],{"class":65},[48,116,117],{"class":69},"setHeader",[48,119,121],{"class":120},"swJcz","(\n",[48,123,125,128,132,135],{"class":50,"line":124},5,[48,126,127],{"class":65},"    '",[48,129,131],{"class":130},"sfazB","Strict-Transport-Security",[48,133,134],{"class":65},"'",[48,136,137],{"class":65},",\n",[48,139,141,143,146],{"class":50,"line":140},6,[48,142,127],{"class":65},[48,144,145],{"class":130},"max-age=31536000; includeSubDomains; preload",[48,147,148],{"class":65},"'\n",[48,150,152,155],{"class":50,"line":151},7,[48,153,154],{"class":120},"  )",[48,156,157],{"class":65},";\n",[48,159,161,164,167],{"class":50,"line":160},8,[48,162,163],{"class":69},"  next",[48,165,166],{"class":120},"()",[48,168,157],{"class":65},[48,170,172,175,177],{"class":50,"line":171},9,[48,173,174],{"class":65},"}",[48,176,93],{"class":61},[48,178,157],{"class":65},[48,180,182],{"class":50,"line":181},10,[48,183,185],{"emptyLinePlaceholder":184},true,"\n",[48,187,189],{"class":50,"line":188},11,[48,190,191],{"class":54},"\u002F\u002F Or with helmet.js:\n",[48,193,195,199,202,205,208,211,213],{"class":50,"line":194},12,[48,196,198],{"class":197},"s7zQu","import",[48,200,201],{"class":61}," helmet ",[48,203,204],{"class":197},"from",[48,206,207],{"class":65}," '",[48,209,210],{"class":130},"helmet",[48,212,134],{"class":65},[48,214,157],{"class":65},[48,216,218,220,222,224,227,229,232,234,237,240,243,247,249,252,254,258,261,264],{"class":50,"line":217},13,[48,219,62],{"class":61},[48,221,66],{"class":65},[48,223,70],{"class":69},[48,225,226],{"class":61},"(helmet",[48,228,66],{"class":65},[48,230,231],{"class":69},"hsts",[48,233,73],{"class":61},[48,235,236],{"class":65},"{",[48,238,239],{"class":120}," maxAge",[48,241,242],{"class":65},":",[48,244,246],{"class":245},"sbssI"," 31536000",[48,248,82],{"class":65},[48,250,251],{"class":120}," includeSubDomains",[48,253,242],{"class":65},[48,255,257],{"class":256},"sfNiH"," true",[48,259,260],{"class":65}," }",[48,262,263],{"class":61},"))",[48,265,157],{"class":65},[10,267,269],{"id":268},"when-youll-hear-this","When You'll Hear This",[15,271,272],{},"\"Enable HSTS with a one-year max-age for the production domain.\" \u002F \"Submitting to the HSTS preload list locks in HTTPS permanently.\"",[274,275,276],"style",{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .s2Zo4, html code.shiki .s2Zo4{--shiki-light:#6182B8;--shiki-default:#82AAFF;--shiki-dark:#82AAFF}html pre.shiki code .sHdIc, html code.shiki .sHdIc{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#EEFFFF;--shiki-default-font-style:italic;--shiki-dark:#BABED8;--shiki-dark-font-style:italic}html pre.shiki code .spNyl, html code.shiki .spNyl{--shiki-light:#9C3EDA;--shiki-default:#C792EA;--shiki-dark:#C792EA}html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .s7zQu, html code.shiki .s7zQu{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#89DDFF;--shiki-default-font-style:italic;--shiki-dark:#89DDFF;--shiki-dark-font-style:italic}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}html pre.shiki code .sfNiH, html code.shiki .sfNiH{--shiki-light:#FF5370;--shiki-default:#FF9CAC;--shiki-dark:#FF9CAC}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":44,"searchDepth":58,"depth":58,"links":278},[279,280,281,282],{"id":12,"depth":58,"text":13},{"id":20,"depth":58,"text":21},{"id":36,"depth":58,"text":37},{"id":268,"depth":58,"text":269},"security","HSTS (HTTP Strict Transport Security) tells the browser 'this site is ALWAYS HTTPS, never even try HTTP.","intermediate","md","h",{},"\u002Fterms\u002Fh\u002Fhsts",[291,292,293,294,295],"HTTPS","TLS","SSL","Content Security Policy","Certificate",{"title":5,"description":284},{"changefreq":298,"priority":299},"weekly",0.7,"terms\u002Fh\u002Fhsts",null,"Z7pdNhl7-uYXNzoFyvPt3yJjTZ9gby_kM-NASoJiMV0",[304,307,311,317,320],{"title":295,"path":305,"acronym":301,"category":283,"difficulty":285,"description":306},"\u002Fterms\u002Fc\u002Fcertificate","A certificate is a digital ID card for a website, signed by a trusted authority.",{"title":294,"path":308,"acronym":309,"category":283,"difficulty":285,"description":310},"\u002Fterms\u002Fc\u002Fcontent-security-policy","CSP","Content Security Policy is an HTTP header that tells the browser exactly where it's allowed to load scripts, images, and other resources from.",{"title":291,"path":312,"acronym":313,"category":314,"difficulty":315,"description":316},"\u002Fterms\u002Fh\u002Fhttps","HyperText Transfer Protocol Secure","networking","beginner","HTTPS is HTTP but with a bodyguard. All the data flying between your browser and the website is scrambled so nobody can spy on it.",{"title":293,"path":318,"acronym":293,"category":283,"difficulty":315,"description":319},"\u002Fterms\u002Fs\u002Fssl","SSL (Secure Sockets Layer) is the old-school version of the lock you see in your browser address bar.",{"title":292,"path":321,"acronym":292,"category":283,"difficulty":285,"description":322},"\u002Fterms\u002Ft\u002Ftls","TLS (Transport Layer Security) is the updated, actually-secure version of SSL. It's the technology that puts the padlock in your browser's address bar.",1776518285739]