HSTS RFC Finalized

Bruce Morton

HTTP Strict Transport Security (HSTS) has been finalized and published as RFC 6797.

The purpose of HSTS is to allow a website to declare to complying users’ agents that they should interact with it using a secure connection such as HTTPS.

In order to implement HSTS, a website must have a statement in its header, such as:

  • Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”

When a complying browser sees this header, it will take any insecure link and turn them into secure links. For example, “http://www.example.com” would be modified to “https://www.example.com.” If the connection cannot be secured, the browser will show an error and not allow the user to access the site.

In the above example, the maximum age for HSTS is set at 31536000 seconds (12 months). This can be changed to other periods and will keep on being updated every time the browser accesses the site.

HSTS-complying browsers include Google Chrome 4+, Firefox 4+ and Opera 12.

I would like to congratulate Jeff Hodges, Collin Jackson and Adam Barth for their work in completing this standard.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

1 Comment

Add to the Conversation