What does the HTTP Strict-Transport-Security (HSTS) header do, and what does max-age=63072000; includeSubDomains mean?
Tells the browser "this site, and all its subdomains, must only be accessed over HTTPS for the next 2 years." Any HTTP request gets internally upgraded to HTTPS before leaving the browser.
The example header:
Strict-Transport-Security: max-age=63072000; includeSubDomains
max-age=63072000— 63,072,000 seconds ≈ 2 years. The browser remembers the rule for this long; the timer resets on every fresh HTTPS visit. Long values are required because an attacker only needs one HTTP request to drop a session cookie or run sslstrip.includeSubDomains— apply the rule to every subdomain too. Otherwise an attacker could MITMstatic.example.comand capture cookies scoped to.example.com.
Why this matters for session security: without HSTS, the first request to example.com (typed without a scheme) goes over HTTP. That request carries cookies. A network attacker on the path can sniff them and replay. HSTS makes the browser refuse the HTTP request in the first place.
Even stronger — HSTS preload: submit your domain to the hstspreload.org list, which gets baked into the browser itself. Then even the very first visit goes HTTPS, no header required.
Tip: HSTS itself only kicks in after the first successful HTTPS visit (when the header was received). That gap is what preloading closes. For any site handling money or sensitive personal data, preloading is the modern default.