Skills

hsts

Installation
SKILL.md

Set an HSTS header

Without HSTS, an attacker on the same network can intercept the first HTTP request and strip TLS (SSL stripping), silently downgrading the connection before the browser ever sees a redirect.

Quick Reference

  • Set Strict-Transport-Security: max-age=31536000; includeSubDomains on all HTTPS responses
  • Use max-age=31536000 (1 year) minimum; HSTS preloading requires at least 1 year
  • Add includeSubDomains to protect all subdomains from downgrade attacks
  • Add preload only after testing — it is difficult to reverse and takes weeks to propagate
  • Never send the HSTS header over plain HTTP — only over HTTPS

Check

Check whether the server sends a Strict-Transport-Security header on all HTTPS responses, and verify the max-age, includeSubDomains, and preload directives are appropriate.

Fix

Add a Strict-Transport-Security header with max-age=31536000 and includeSubDomains to all HTTPS responses. Configure your web server or CDN to send this header, and validate it with curl or securityheaders.com.

Installs
1
Repository
thedaviddias/fr…hecklist
GitHub Stars
73.0K
First Seen
7 days ago
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
hsts — thedaviddias/front-end-checklist