{"id":44,"date":"2023-09-30T20:09:44","date_gmt":"2023-09-30T20:09:44","guid":{"rendered":"https:\/\/protocolguard.com\/resources\/?p=44"},"modified":"2024-12-14T20:53:02","modified_gmt":"2024-12-14T20:53:02","slug":"what-is-hsts","status":"publish","type":"post","link":"https:\/\/protocolguard.com\/resources\/what-is-hsts\/","title":{"rendered":"What is HTTP Strict Transport Security? (HSTS)"},"content":{"rendered":"<div id=\"bsf_rt_marker\"><\/div>\n<p>HTTP Strict Transport Security (HSTS) is a helpful way to make web connections safer. It works by making sure that when you visit a website, your browser always uses a secure and encrypted connection called HTTPS, keeping your data safe from hackers who might try to steal it. When a website has this feature&nbsp;enabled, it tells your browser to only connect through the HTTPS protocol, even if you try to use the less secure HTTP protocol. This is important because it stops bad guys from stealing your sensitive information, like your login details or credit card numbers, while you\u2019re visiting a website.<\/p>\n\n\n\n<p>HSTS also has a feature called &#8220;preloading.&#8221; Websites can ask to be on a special list that makes sure HSTS is always turned on, even if you&#8217;ve never visited their site before. This extra layer of security helps protect you from certain types of attacks.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#what-is-the-hsts-header\">What is the HSTS Header?<\/a><ul><li><a href=\"#the-hsts-header-in-html\">The HSTS header in HTML<\/a><\/li><li><a href=\"#the-function-of-the-hsts-header\">The function of the HSTS header<\/a><\/li><li><a href=\"#hsts-syntax\">HSTS Syntax<\/a><\/li><li><a href=\"#hsts-directives\">HSTS Directives<\/a><\/li><\/ul><\/li><li><a href=\"#hsts-header-examples\">HSTS Header Examples<\/a><\/li><li><a href=\"#hsts-browser-compatibility\">HSTS browser compatibility<\/a><\/li><li><a href=\"#how-to-configure-hsts\">How to configure HSTS?<\/a><ul><li><a href=\"#configuring-hsts-on-nginx\">Configuring HSTS on Nginx<\/a><\/li><li><a href=\"#setting-up-hsts-on-apache\">Setting up HSTS on Apache<\/a><\/li><li><a href=\"#how-to-set-hsts-on-caddy\">How to set HSTS on Caddy<\/a><\/li><li><a href=\"#configuring-hsts-on-lighttpd\">Configuring HSTS on Lighttpd<\/a><\/li><li><a href=\"#enabling-hsts-on-lite-speed\">Enabling HSTS on LiteSpeed<\/a><\/li><li><a href=\"#configuring-hsts-on-cloudflare\">Configuring HSTS on Cloudflare<\/a><\/li><\/ul><\/li><li><a href=\"#setting-hsts-on-iis\">Setting HSTS on IIS<\/a><\/li><li><a href=\"#testing-the-hsts-configuration\">Testing the HSTS configuration<\/a><\/li><li><a href=\"#fixing-the-hsts-header-misconfiguration\">Fixing the HSTS header misconfiguration<\/a><\/li><li><a href=\"#hsts-faq\">HSTS FAQ<\/a><ul><li><a href=\"#what-does-hsts-mean\">What does HSTS mean?<\/a><\/li><li><a href=\"#is-hsts-necessary\">Is HSTS necessary?<\/a><\/li><li><a href=\"#is-hsts-a-vulnerability\">Is HSTS a vulnerability?<\/a><\/li><\/ul><\/li><li><a href=\"#summary\">Summary<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-is-the-hsts-header\">What is the HSTS Header?<\/h2>\n\n\n\n<p>The HTTP Strict Transport Security header is an important part of web communication that helps make connections more secure. When a website sends this header to a user&#8217;s browser, it tells the browser to always connect to that website using a secure connection called <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Glossary\/HTTPS\" target=\"_blank\" rel=\"noopener\">HTTPS<\/a>. This means all communication between the browser and the website will be protected and encrypted.<\/p>\n\n\n\n<p>This header ensures that visits to a website are done securely and that the user&#8217;s personal data is protected from potential threats. It prevents browsers from trying to connect to the website through an insecure connection, which could expose users&#8217; personal information.<\/p>\n\n\n\n<p>According to <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/Strict-Transport-Security\" target=\"_blank\" rel=\"noopener\">Mozilla<\/a>, &#8220;The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS&#8221;.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"the-hsts-header-in-html\">The HSTS header in HTML<\/h3>\n\n\n\n<p>The HTTP Strict Transport Security header is not a part of HTML itself, but a security feature set up on the web server through <a href=\"https:\/\/protocolguard.com\/resources\/what-are-http-headers\/\">HTTP headers<\/a>. It&#8217;s important to note that this header is not directly defined or configured in the HTML code of a web page, it&#8217;s configured on the web server.<\/p>\n\n\n\n<p>When a web server sends this header to a user&#8217;s browser, it tells the browser to always connect to the website using a secure HTTPS connection instead of an insecure HTTP connection. This is done to improve security and ensure that all communication between the browser and the website is <a href=\"https:\/\/protocolguard.com\/resources\/http-public-key-pinning\/\">encrypted<\/a> and protected.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"the-function-of-the-hsts-header\">The function of the HSTS header<\/h3>\n\n\n\n<p>The HSTS (HTTP Strict Transport Security) header has one main job: to make web connections more secure. It does this by telling your web browser to always connect to a website using a safe connection called HTTPS. This means that all communication between your browser and the website will be protected and encrypted.<\/p>\n\n\n\n<p>This header ensures that when you visit a website, it happens securely, keeping your personal information safe and preventing connections from being vulnerable to possible attacks. It helps make your online experience safer.<\/p>\n\n\n\n<p>W3Techs indicate that HSTS is <a href=\"https:\/\/w3techs.com\/technologies\/details\/ce-hsts\" target=\"_blank\" rel=\"noopener\">used by 27,4%<\/a> of websites currently.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"hsts-syntax\">HSTS Syntax<\/h3>\n\n\n\n<p>The syntax of the HTTP Strict Transport Security header is pretty straightforward. It&#8217;s used in the server&#8217;s response and follows a simple format. Here&#8217;s the basic structure:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Strict-Transport-Security: max-age=value[; includeSubDomains][; preload]<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"hsts-directives\">HSTS Directives<\/h3>\n\n\n\n<p>The directives help control various aspects of how the header works for a website. Here are the common directives:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>max-age<\/strong>: this is the most important part. It indicates how long (in seconds) the browser should remember to use HTTPS when connecting to the website. For example, max-age=31536000 means the browser will remember this policy for one year.<\/li>\n\n\n\n<li><strong>includeSubDomains<\/strong> (optional): if this directive is included, the HSTS policy applies not only to the main domain but also to all subdomains. For example, using \u201cStrict-Transport-Security: max-age=31536000; includeSubDomains\u201d ensures that all subdomains of the website also use HTTPS.<\/li>\n\n\n\n<li><strong>preload<\/strong> (optional): This directive indicates that the website wants to be considered for the HSTS preload list in browsers. This means that the header will be automatically enforced, even for users who have never visited the site before. To be preloaded, you must meet certain security requirements and submit a request to the browser.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"hsts-header-examples\">HSTS Header Examples<\/h2>\n\n\n\n<p>Let\u2019s see a few examples of HSTS headers with different configurations.<\/p>\n\n\n\n<p>Basic setting: this header sets a simple policy for 1 year for the main domain:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Strict-Transport-Security: max-age=31536000<\/pre>\n\n\n\n<p>Subdomains: this header applies the policy to all subdomains of the main domain for 6 months:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Strict-Transport-Security: max-age=15552000; includeSubDomains<\/pre>\n\n\n\n<p>Preload: this header requests inclusion in the HSTS preload list and sets a policy for 1 year for the main domain and its subdomains:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Strict-Transport-Security: max-age=31536000; includeSubDomains; preload<\/pre>\n\n\n\n<p>HSTS with Preload and Excluded Subdomains: this header requests inclusion in the preload list, sets a policy for 1 year for the main domain and its subdomains but excludes a specific subdomain (e.g., &#8220;subdomain.example.com&#8221;):<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Strict-Transport-Security: max-age=31536000; includeSubDomains; excludeSubDomains=subdomain.example.com; preload<\/pre>\n\n\n\n<p>These examples show different HSTS header configurations that web servers can send as part of their HTTP responses to enhance the security of web connections and protect users against security threats. Keep in mind that the duration (max-age) and the inclusion of subdomains (includeSubDomains) can vary based on the website&#8217;s security needs. The preload option is optional and requires meeting specific requirements for inclusion in browsers&#8217; preload lists.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"hsts-browser-compatibility\">HSTS browser compatibility<\/h2>\n\n\n\n<p>It works well with <a href=\"https:\/\/www.chromium.org\/hsts\/\" target=\"_blank\" rel=\"noopener\">most modern web browsers<\/a>, which means it&#8217;s effective for making web connections more secure.<\/p>\n\n\n\n<p>Browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, and Safari support it. Some of them even have a list of websites that use it for added security. Older versions of Internet Explorer may not fully support it, so it&#8217;s better to encourage users to use more up-to-date and secure browsers.<\/p>\n\n\n\n<p>Mobile browsers on Android and iOS devices also support it, including Chrome and Safari on mobile. Some browsers, like Chrome and Firefox, have a special feature called &#8220;preloading.&#8221; Websites can ask to be on a list in these browsers so that the header is enforced, even for people visiting the site for the first time.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how-to-configure-hsts\">How to configure HSTS?<\/h2>\n\n\n\n<p>The configuration of this header can vary depending on the web server you are using. Below, we will provide you with general instructions for setting up HSTS on various popular web servers, as well as on Cloudflare.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configuring-hsts-on-nginx\">Configuring HSTS on Nginx<\/h3>\n\n\n\n<p>Open your Nginx site configuration file in a text editor. Usually located in \/etc\/nginx\/sites-available\/ or \/etc\/nginx\/conf.d\/, depending on your Linux distro.<\/p>\n\n\n\n<p>Add the following lines within the server block to enable HSTS:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\";<\/pre>\n\n\n\n<p>This sets a policy for 1 year (31536000 seconds) and includes subdomains (includeSubDomains).<\/p>\n\n\n\n<p>Save and close the configuration file, and now restart Nginx to apply the changes:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart nginx<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"setting-up-hsts-on-apache\">Setting up HSTS on Apache<\/h3>\n\n\n\n<p>Open your Apache site configuration file in a text editor, on most moderns distros it&#8217;s located in \/etc\/apache2\/sites-available\/<\/p>\n\n\n\n<p>Add the following lines within the desired virtualhost block to enable this header:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Header always set Strict-Transport-Security \"max-age=31536000; includeSubDomains\"<\/pre>\n\n\n\n<p>Save and close the configuration file.<\/p>\n\n\n\n<p>Don&#8217;t forget to enable the headers module if it&#8217;s not already enabled:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">a2enmod headers<\/pre>\n\n\n\n<p>Restart Apache to apply the changes:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart apache2<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"how-to-set-hsts-on-caddy\">How to set HSTS on Caddy<\/h3>\n\n\n\n<p>Open your Caddyfile in a text editor.<\/p>\n\n\n\n<p>Add the following lines to enable it:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tls {\nmax_age 31536000\ninclude_subdomains\n}<\/pre>\n\n\n\n<p>Save the file and restart Caddy:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart caddy<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configuring-hsts-on-lighttpd\">Configuring HSTS on Lighttpd<\/h3>\n\n\n\n<p>Open the Lighttpd configuration file in a text editor, it&#8217;s usually located in \/etc\/lighttpd\/lighttpd.conf.<\/p>\n\n\n\n<p>Add the following line within the server section to enable HSTS:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">setenv.add-response-header = (\"Strict-Transport-Security\" =&gt; \"max-age=31536000; includeSubDomains\")<\/pre>\n\n\n\n<p>Save and close the configuration file, then restart Lighttpd to apply the changes:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart lighttpd<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"enabling-hsts-on-lite-speed\">Enabling HSTS on LiteSpeed<\/h3>\n\n\n\n<p>If you&#8217;re using LiteSpeed along with Apache&#8217;s configuration, for example in a cPanel server, just add the following header to your .htaccess file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Header always set Strict-Transport-Security \"max-age=31536000; includeSubDomains\"<\/pre>\n\n\n\n<p>If you&#8217;re using LiteSpeed&#8217;s native configuration, then log in to the LiteSpeed web admin interface.<\/p>\n\n\n\n<p>Click on Virtual Hosts and then on the desired virtual host, now click on Context &gt; Add, select Static type.<\/p>\n\n\n\n<p>Now set the context URI to \/ and add the header under the setting labeled &#8220;Extra Headers&#8221;:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Strict-Transport-Security \u201cmax-age=31536000\u201d<\/pre>\n\n\n\n<p>Now just restart LiteSpeed to apply the changes.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configuring-hsts-on-cloudflare\">Configuring HSTS on Cloudflare<\/h3>\n\n\n\n<p>For Cloudflare, you can enable the header through their web control panel:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Log in to your Cloudflare account.<\/li>\n\n\n\n<li>Select the domain you want to configure.<\/li>\n\n\n\n<li>Go to the &#8220;SSL\/TLS&#8221; section and choose &#8220;Edge Certificates.&#8221;<\/li>\n\n\n\n<li>In the &#8220;HTTP Strict Transport Security (HSTS)&#8221; section, you can enable it and configure the settings according to your needs.<\/li>\n<\/ol>\n\n\n\n<p>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"1308\" height=\"196\" src=\"https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/09\/hsts-cloudflare.jpg\" alt=\"Enabling HSTS on CloudFlare\" class=\"wp-image-50\" title=\"Enabling HSTS on CloudFlare\" srcset=\"https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/09\/hsts-cloudflare.jpg 1308w, https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/09\/hsts-cloudflare-300x45.jpg 300w, https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/09\/hsts-cloudflare-1024x153.jpg 1024w, https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/09\/hsts-cloudflare-768x115.jpg 768w\" sizes=\"auto, (max-width: 1308px) 100vw, 1308px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Save the configuration.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"setting-hsts-on-iis\">Setting HSTS on IIS<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open IIS Manager.<\/li>\n\n\n\n<li>Select the site where you want to enable HSTS.<\/li>\n\n\n\n<li>Double-click HTTP Response Headers.<\/li>\n\n\n\n<li>In the Actions panel, click Add.<\/li>\n\n\n\n<li>Set these values:<\/li>\n<\/ol>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Name: Strict-Transport-Security<\/li>\n\n\n\n<li>Value: max-age=31536000; includeSubDomains; preload<\/li>\n<\/ul>\n\n\n\n<ol start=\"6\" class=\"wp-block-list\">\n<li>Click OK to save the header.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"testing-the-hsts-configuration\">Testing the HSTS configuration<\/h2>\n\n\n\n<p>If you want to test your current HSTS configuration, just follow our steps:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Access our <a href=\"https:\/\/protocolguard.com\/\">web security scanner<\/a>.<\/li>\n\n\n\n<li>Input your domain in the scan box.<\/li>\n\n\n\n<li>Now tick the two boxes below (\u2018Clear cache\u2019 and \u2018Follow redirects\u2019).<\/li>\n\n\n\n<li>Hit the Scan button.<\/li>\n\n\n\n<li>Now scroll down to the &#8216;HTTP Security Headers&#8217; section and check the \u2018HSTS header\u2019 results: a &#8216;Passed&#8217; in green is good. However, if you get a \u2018Failed\u2019 in red, you must update your current settings.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"1253\" height=\"466\" src=\"https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/09\/hsts-security-test-results.webp\" alt=\"HSTS test results\" class=\"wp-image-450\" title=\"HSTS test results\" srcset=\"https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/09\/hsts-security-test-results.webp 1253w, https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/09\/hsts-security-test-results-300x112.webp 300w, https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/09\/hsts-security-test-results-1024x381.webp 1024w, https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/09\/hsts-security-test-results-768x286.webp 768w\" sizes=\"auto, (max-width: 1253px) 100vw, 1253px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"fixing-the-hsts-header-misconfiguration\">Fixing the HSTS header misconfiguration<\/h2>\n\n\n\n<p>How to fix the missing HSTS header reported by our web security scanner? Fixing this missing header is actually pretty simple, in this article we have already included the necessary steps to fix this <a href=\"https:\/\/protocolguard.com\/resources\/top-http-misconfigurations\/\">HTTP misconfiguration<\/a> in popular web servers like Apache, Nginx and LiteSpeed, and we have also included the steps to fix it on Lighttpd, Caddy and CloudFlare. You can find this information a few paragraphs above.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"hsts-faq\">HSTS FAQ<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"what-does-hsts-mean\">What does HSTS mean?<\/h3>\n\n\n\n<p>It stands for &#8220;HTTP Strict Transport Security.&#8221; It&#8217;s a web security feature that ensures web browsers only make secure connections (HTTPS) to a specific website, helping to protect against certain types of cyberattacks.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"is-hsts-necessary\">Is HSTS necessary?<\/h3>\n\n\n\n<p>While this feature isn&#8217;t absolutely necessary, it&#8217;s highly recommended, especially for sites that handle sensitive information like passwords or credit card data. Implementing the header significantly improves security by ensuring that connections to your website are always secure.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"is-hsts-a-vulnerability\">Is HSTS a vulnerability?<\/h3>\n\n\n\n<p>No, it is not a vulnerability. In fact, it&#8217;s a security measure designed to address vulnerabilities related to data transport security, such as Man-in-the-Middle attacks and session hijacking.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"summary\">Summary<\/h2>\n\n\n\n<p>HTTP Strict Transport Security (HSTS) is very important for boosting web security. It ensures your web browser always connects to websites using a secure and encrypted connection (HTTPS), safeguarding your data from potential hackers. This header tells your browser to use HTTPS exclusively, even if you try to use the less secure HTTP protocol.<\/p>\n\n\n\n<p>It works with popular browsers like Chrome, Firefox, Edge, and Safari. Some older browsers might not fully support it, so it&#8217;s best to use updated ones. Mobile browsers on Android and iOS also support it.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>HTTP Strict Transport Security (HSTS) is a helpful way to make web connections safer. It works by making sure that when you visit a website, your browser always uses a secure and encrypted connection called HTTPS, keeping your data safe from hackers who might try to steal it. When a website has this feature&nbsp;enabled, it [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":372,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[3],"tags":[],"class_list":["post-44","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ssl-security"],"uagb_featured_image_src":{"full":["https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/09\/What-is-HTTP-Strict-Transport-Security-HSTS.webp",1200,628,false],"thumbnail":["https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/09\/What-is-HTTP-Strict-Transport-Security-HSTS-150x150.webp",150,150,true],"medium":["https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/09\/What-is-HTTP-Strict-Transport-Security-HSTS-300x157.webp",300,157,true],"medium_large":["https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/09\/What-is-HTTP-Strict-Transport-Security-HSTS-768x402.webp",768,402,true],"large":["https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/09\/What-is-HTTP-Strict-Transport-Security-HSTS-1024x536.webp",1024,536,true],"1536x1536":["https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/09\/What-is-HTTP-Strict-Transport-Security-HSTS.webp",1200,628,false],"2048x2048":["https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/09\/What-is-HTTP-Strict-Transport-Security-HSTS.webp",1200,628,false]},"uagb_author_info":{"display_name":"ProtocolGuard Research Team","author_link":"https:\/\/protocolguard.com\/resources\/author\/researchadmin\/"},"uagb_comment_info":0,"uagb_excerpt":"HTTP Strict Transport Security (HSTS) is a helpful way to make web connections safer. It works by making sure that when you visit a website, your browser always uses a secure and encrypted connection called HTTPS, keeping your data safe from hackers who might try to steal it. When a website has this feature&nbsp;enabled, it&hellip;","_links":{"self":[{"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/posts\/44","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/comments?post=44"}],"version-history":[{"count":4,"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/posts\/44\/revisions"}],"predecessor-version":[{"id":868,"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/posts\/44\/revisions\/868"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/media\/372"}],"wp:attachment":[{"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/media?parent=44"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/categories?post=44"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/tags?post=44"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}