Back to HTTP Headers
Response

HTTP Strict-Transport-Security (HSTS) Header

Tells the browser to only communicate with the server over HTTPS, never HTTP. Protects against protocol downgrade attacks.

Purpose

Enforces HTTPS-only communication, preventing man-in-the-middle attacks and protocol downgrade attempts.

Strict-Transport-Security: max-age=<seconds> Strict-Transport-Security: max-age=<seconds>; includeSubDomains Strict-Transport-Security: max-age=<seconds>; preload

Code Examples

See how to use the Strict-Transport-Security (HSTS) header in different tools and languages.

curl -I https://api.example.com
# Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Related Headers

Set-Cookie

Sends cookies from the server to the client. The client stores them and sends them back with subsequent requests via the Cookie header.

Cache-Control

Specifies caching directives for both requests and responses. Controls how and for how long content is cached by browsers and intermediate caches.

Content-Security-Policy (CSP)

Controls which resources the browser is allowed to load. A critical security header that prevents XSS and data injection attacks.

Test Your APIs

API Response Time Checker

Test your APIs and inspect response headers in real-time

HTTP Headers Reference

Complete reference of all HTTP request and response headers

strict-transport-security headerhttp strict-transport-securityhttp headers guide