Guidance href="#guidance"

All government websites must have HSTS.

M-15-13:

Strict Transport Security: Websites and services available over HTTPS must enable HTTP Strict Transport Security (HSTS)12 to instruct compliant browsers to assume HTTPS going forward. This reduces the number of insecure redirects, and protects users against attacks that attempt to downgrade connections to plain HTTP. Once HSTS is in place, domains can be submitted to a “preload list”13 used by all major browsers to ensure the HSTS policy is in effect at all times.

CIO.gov:

The policy should be deployed at https://domain.gov, not https://www.domain.gov.

About href="#about"

HTTP Strict Transport Security is a security feature that:

• Forces web browsers to use HTTPS instead of HTTP.
• Protects against downgrade attacks and cookie hijacking.
• Specifies a period during which the browser should enforce HTTPS for the site.

Key points:

• Activated by the server through a response header (Strict-Transport-Security).
• Helps improve website security by ensuring encrypted connections.

Code href="#code"

Example header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Links href="#links"

• HTTP Strict Transport Security (CIO.gov)
• HTTP Strict Transport Security (Mozilla)
• Security-related HTTP headers (Cloud.gov)
• HTTP Strict Transport Security Cheat Sheet (OWASP)
• HTTP Strict Transport Security (Wikipedia)

Related

• Metadata
• URL
• Sitemaps
• Canonicalization
• Sponsored top-level domain

Topics

• Domain
• Search engine optimization
• Security
• Standards