11

Is the Strict-Transport-Security header intended for HTTP or HTTPS? What I mean is, do I respond with this header on a HTTP connection which in turn tells the browser to use HTTPS only from that point on? Or, is this header only used on a HTTPS response, and will tell the browser to use HTTPS only from then on?

I'm trying to make my site redirect from HTTP to HTTPS if a client tries to access my site under HTTP. So, I'm interested in whether the strict-transport-security header is used for this purpose, or can be used for this purpose.

Dan Dascalescu
  • 1,945
  • 2
  • 15
  • 23
Sam
  • 211
  • 1
  • 3
  • The header should ONLY be sent over HTTPS connections. This is to prevent issues with broken clients who don't follow the RFC – makerofthings7 Mar 27 '15 at 18:05
  • "If an HTTP response is received over insecure transport, the UA MUST ignore any present STS header field(s)." http://tools.ietf.org/html/rfc6797 – Colonel Panic May 19 '15 at 16:39

1 Answers1

8

The HSTS specification draft contains a chapter on the server processing model. It describes the expected behavior for secure requests:

When replying to an HTTP request that was conveyed over a secure transport, an HSTS Host SHOULD include in its response message an STS header field […]

And for non-secure requests:

If an HSTS Host receives a HTTP request message over a non-secure transport, it SHOULD send a HTTP response message containing a status code indicating a permanent redirect […]

This is also reflected in the various implementation examples of Wikipedia’s HTTP Strict Transport Security article.

Community
  • 1
Gumbo
  • 2,003
  • 1
  • 13
  • 17