The purpose of HSTS is to allow a website to declare to complying users’ agents that they should interact with it using a secure connection such as HTTPS.
In order to implement HSTS, a website must have a statement in its header, such as:
- Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”
When a complying browser sees this header, it will take any insecure link and turn them into secure links. For example, would be modified to . If the connection cannot be secured, the browser will show an error and not allow the user to access the site.
In the above example, the maximum age for HSTS is set at 31536000 seconds (12 months). This can be changed to other periods and will keep on being updated every time the browser accesses the site.
HSTS-complying browsers include Google Chrome 4+, Firefox 4+ and Opera 12.