HTTP Strict Transport Security (HSTS)
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/entity//" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/entity//Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/entity//)Use the native HTML custom element.
J. Hodges, C. Jackson, A. Barth · 2012-11
Abstract
This specification defines a mechanism enabling web sites to declare themselves accessible only via secure connections and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. This overall policy is referred to as HTTP Strict Transport Security (HSTS).
Why This RFC Matters
RFC 6797 introduced HSTS, a simple but highly effective mechanism for eliminating SSL-stripping attacks: once a browser sees a Strict-Transport-Security response header, it refuses plain HTTP connections to that host for the specified max-age period. The 'includeSubDomains' directive extends protection to all subdomains, and the preload list maintained by browser vendors bootstraps HSTS protection even for first visits. HSTS is now a baseline security requirement for all public-facing HTTPS sites and is checked during Lighthouse audits, security scanner reports, and CA/Browser Forum Baseline Requirements compliance.