Strict-Transport-Security header

HSTS tells browsers to ALWAYS use HTTPS for this domain, for the next N seconds. Defends against SSL-strip attacks. Once set, you can't easily un-set without breaking returning users.

advanced RFC 6797 (HSTS)

What the RFC says

The HTTP Strict Transport Security (HSTS) policy ... allows web sites to declare themselves accessible only via secure connections and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. (RFC 6797 §1) — RFC 6797 (HSTS)

Example

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
# 2 years, all subdomains, eligible for browser preload list

# Testing/rollback-safe:
Strict-Transport-Security: max-age=300
# 5 minutes — short window, recoverable

Real-world implementations

GitHub: `max-age=31536000; includeSubDomains; preload` (1 year, preloaded).
Google.com: `max-age=63072000; includeSubDomains; preload` (2 years).
Browser preload list (https://hstspreload.org) bakes the policy in — no opt-out without browser update.

Common misuses (don't do this)

WARNING: setting `includeSubDomains` then having one subdomain that needs HTTP = users can't access that subdomain. Verify all subdomains support HTTPS first.
Submitting to preload list before testing — once on the list, you're stuck for ~6+ months until removal propagates.
Setting `max-age=0` to rollback works locally but not for users who already cached the policy. Real rollback takes the original max-age duration.

Use cases

Production HTTPS hardening
PCI-DSS compliance (HSTS strongly encouraged)
Banking / fintech security baselines
SSL strip attack defense

Get the RFC reference for any HTTP response

httpwut takes a curl response and explains the status code + headers + the RFC sections you should actually read. Built for HTTP debugging that goes deeper than 'lol 500'.

Open httpwut