HSTS Policy

The HTTP Strict Transport Security response header can tell a browser to only use TLS for a website, never plaintext HTTP.

Use this header in combination with the HSTS preload service and the preload directive to improve page speed. The HSTS service is a list that gets built into browsers that tells them which sites to request via HTTPS.

This is faster because the browser doesn’t need to download the HSTS header from the server each time; it is already cached.

Read more about preloading

Since sites tell the browser that they support HSTS when the browser visits, the browser cannot know a site’s HSTS policy before the user has visited the site for the first time.

But note, that page does not recommend HSTS preloading because undoing it takes time, and the benefits are minimal since the browser already will auto-upgrade requests to HTTPS when possible.

The Ideal HSTS Header

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

NOTE the preload directive.

TL;DR

Use preload in the header, and submit the domain to the HSTS preload service. This will compile the domain into browser binaries that use the HSTS list.

See also

• HTTP Strict Transport Security
• Use a strong HSTS policy
• HSTS preload service