HTTP strict transport security (HSTS)

HTTP Strict-Transport-Security (HSTS) is a security mechanism used by websites to ensure that websites cannot be accessed using the HTTP protocol, but only its secure variant, the HTTPS protocol; specified in RFC 6797. Web clients are prohibited from connecting via the HTTP protocol.

The HSTS header informs the web browser that it should not load a website over HTTP and should automatically convert all attempts to access websites over HTTP into HTTPS requests. If a website accepts a connection over HTTP and redirects to HTTPS, visitors can first communicate with the unencrypted version of the website before being redirected. This vulnerability can be used to perform man-in-the-middle attacks and redirect visitors to a malicious website instead of the secure version of the original website. In addition, this vulnerability can be used to perform downgrade attacks and cookie hijacking, which are prevented by redirecting over HTTPS. Secure access to web servers is restricted by a time period specified in the HSTS policy.

To prevent direct connection over HTTP, web servers work with preload lists from HSTS websites. The preload lists ensure that the connection to the websites listed on the preload lists can never be established over HTTP.