Description
HTTPS (HTTP encrypted with SSL or TLS) is an essential part of the measures to secure traffic to a website, making it very difficult for an attacker to intercept, modify, or fake traffic between a user and the website.
HSTS seeks to deal with the potential vulnerability by instructing the browser that a domain can only be accessed using HTTPS. Even if the user enters or follows a plain HTTP link, the browser strictly upgrades the connection to HTTPS.
An HSTS policy is published by sending the following HTTP response header from secure (HTTPS) websites:
Strict-Transport-Security: max-age=15768000
When a browser sees this header from an HTTPS website, it "learns" that this domain must only be accessed using HTTPS (SSL or TLS). It caches this information for the max-age period (15768000 seconds).