LOGBOOK

HELP

Quiz Entry - updated: 2026.06.26

What does the HSTS header do, and what is the role of max-age and includeSubDomains?

HSTS tells the browser "always connect to this site over HTTPS; never accept HTTP" for a period of time.

Strict-Transport-Security: max-age=31536000; includeSubDomains

  • max-age=31536000 — remember this rule for 1 year (in seconds). The header must be re-served on each HTTPS visit to stay in effect. Set max-age high — a short max-age defeats the purpose because the rule expires before the attacker gets another chance.
  • includeSubDomains — apply the rule to every subdomain too. Without this, an attacker can MITM static.example.com and steal cookies that are scoped to .example.com.

Why it matters: without HSTS, the first visit (typed example.com, no scheme) goes over HTTP. A network attacker can intercept that request and run sslstrip — rewriting all HTTPS links to HTTP, capturing credentials. HSTS makes the browser refuse to ever speak HTTP to a known HSTS site.

Stronger: add your domain to the HSTS preload list (built into Chrome/Firefox/Safari) — then even the first visit goes over HTTPS, no header required.

Tip: HSTS is only honored over HTTPS — the very first HTTP request is still vulnerable. Preloading is the only way to fix that.

From Quiz: ISF / Web Application Security Basics | Updated: Jun 26, 2026