HTTP Strict Transport Security (HSTS) is a web security policy mechanism designed to protect HTTPS websites against downgrade attacks and cookie hijacking. A web server configured to use HSTS instructs web browsers (or other client software) to use only HTTPS connections and disallows use of the HTTP protocol.
This instruction is called the “HSTS Policy” and is sent to the client as part of the initial request for a connection using a HTTP response header field (
Strict-Transport-Security). A server’s HSTS Policy includes how long the instructions should be cached by the client and if subdomains are also to use HTTPS only.
HSTS is a permanent part of the HTTPS protocol and specified in RFC 6797.