Table of Contents
Web Backend Security Headers
Background
HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.
Usage
A server implements an HSTS policy by supplying a header over an HTTPS connection (HSTS headers over HTTP are ignored). For example, a server could send a header such that future requests to the domain for the next year (max-age is specified in seconds; 31,536,000 is equal to one non-leap year) use only HTTPS: Strict-Transport-Security: max-age=31536000.
How it works
HSTS allows web servers to declare that web browsers only use HTTPS, and not HTTP. This is because HTTPS uses TLS/SSL to do secure handshakes, which guarantees that the client and server both have verified each other's identity.
Source of Usage
Typically HSTS is defined at the top-level domain through a load balancer or reverse proxy.
Coming up next
Next, we'll take a look at X-Frame-Options and X-XSS-Protection