What does the HSTS header do, and what is the role of max-age and includeSubDomains?
HSTS tells the browser "always connect to this site over HTTPS; never accept HTTP" for a period of time.
Strict-Transport-Security: max-age=31536000; includeSubDomains
max-age=31536000— remember this rule for 1 year (in seconds). The header must be re-served on each HTTPS visit to stay in effect. Set max-age high — a short max-age defeats the purpose because the rule expires before the attacker gets another chance.includeSubDomains— apply the rule to every subdomain too. Without this, an attacker can MITMstatic.example.comand steal cookies that are scoped to.example.com.
Why it matters: without HSTS, the first visit (typed example.com, no scheme) goes over HTTP. A network attacker can intercept that request and run sslstrip — rewriting all HTTPS links to HTTP, capturing credentials. HSTS makes the browser refuse to ever speak HTTP to a known HSTS site.
Stronger: add your domain to the HSTS preload list (built into Chrome/Firefox/Safari) — then even the first visit goes over HTTPS, no header required.
Tip: HSTS is only honored over HTTPS — the very first HTTP request is still vulnerable. Preloading is the only way to fix that.