HSTS Directive Components

1 min read Web Security Fundamentals

HSTS Directive Components

The Strict-Transport-Security header accepts three directives:

max-age: Specifies how long browsers should enforce HTTPS-only access (in seconds).

Strict-Transport-Security: max-age=31536000

includeSubDomains: Extends HSTS protection to all subdomains.

Strict-Transport-Security: max-age=31536000; includeSubDomains

preload: Indicates eligibility for browser preload lists.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload