HTML

Structure of content on the web

  • Web APIs

    Interfaces for building web applications

  • Learn
  • HTTP Observatory

    Scan a website for free

  • HTTP
  • HTTP
  • A typical HTTP session
  • HTTP caching
  • HTTP conditional requests
  • Protocol upgrade mechanism
  • HTTP Observatory
  • Permissions Policy
  • CORS errors
    1. Reason: CORS header 'Origin' cannot be added
    2. Reason: CORS request not HTTP
    3. Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Headers'
    4. Reference
    5. Accept-Encoding
    6. Accept-Ranges
    7. Access-Control-Allow-Origin
    8. Access-Control-Request-Method
    9. Alt-Used
    10. Attribution-Reporting-Eligible
    11. Attribution-Reporting-Register-Source
    12. Attribution-Reporting-Register-Trigger
    13. Connection
    14. Content-DPR
    15. Content-Location
    16. Content-Type
    17. Critical-CH
    18. Date
    19. DNT
    20. Downlink
    21. DPR
    22. Early-Data
    23. ECT
    24. Expect-CT
    25. Host
    26. If-Range
    27. Link
    28. NEL
    29. No-Vary-Search
    30. Observe-Browsing-Topics
    31. Origin-Agent-Cluster
    32. Permissions-Policy
    33. Pragma
    34. Range
    35. Report-To
    36. Reporting-Endpoints
    37. RTT
    38. Save-Data
    39. Sec-Browsing-Topics
    40. Sec-CH-Prefers-Color-Scheme
    41. Sec-CH-Prefers-Reduced-Motion
    42. Sec-CH-Prefers-Reduced-Transparency
    43. Sec-CH-UA
    44. Sec-CH-UA-Arch
    45. Sec-CH-UA-Bitness
    46. Sec-CH-UA-Form-Factors
    47. Sec-CH-UA-Full-Version
    48. Sec-CH-UA-Full-Version-List
    49. Sec-CH-UA-Mobile
    50. Sec-CH-UA-Model
    51. Sec-CH-UA-Platform
    52. Sec-CH-UA-Platform-Version
    53. Sec-CH-UA-WoW64
    54. Sec-Fetch-User
    55. Sec-GPC
    56. Sec-WebSocket-Key
    57. Server-Timing
    58. Set-Cookie
    59. Set-Login
    60. Speculation-Rules
    61. Supports-Loading-Mode
    62. Tk
    63. Upgrade-Insecure-Requests
    64. Viewport-Width
    65. Warning
    66. Width
    67. X-DNS-Prefetch-Control
    68. X-Forwarded-For
    69. X-Forwarded-Host
    70. X-Forwarded-Proto
    71. X-Permitted-Cross-Domain-Policies
    72. X-Powered-By
    73. X-Robots-Tag
    74. X-XSS-Protection
  • GET
  • POST
  • 100 Continue
  • 200 OK
  • 204 No Content
  • 208 Already Reported
  • 302 Found
  • 308 Permanent Redirect
  • 403 Forbidden
  • 407 Proxy Authentication Required
  • 411 Length Required
  • 415 Unsupported Media Type
  • 421 Misdirected Request
  • 425 Too Early
  • 431 Request Header Fields Too Large
  • 502 Bad Gateway
  • 506 Variant Also Negotiates
  • 511 Network Authentication Required
  • CSP: block-all-mixed-content
  • CSP: fenced-frame-src
  • CSP: frame-src
  • CSP: object-src
  • CSP: prefetch-src
  • CSP: report-uri
  • CSP: require-trusted-types-for
  • CSP: script-src-elem
  • CSP: trusted-types
  • Permissions-Policy directives
    1. Permissions-Policy: accelerometer
    2. Permissions-Policy: ambient-light-sensor
    3. Permissions-Policy: attribution-reporting
    4. Permissions-Policy: autoplay
    5. Permissions-Policy: bluetooth
    6. Permissions-Policy: browsing-topics
    7. Permissions-Policy: camera
    8. Permissions-Policy: compute-pressure
    9. Permissions-Policy: cross-origin-isolated
    10. Permissions-Policy: display-capture
    11. Permissions-Policy: document-domain
    12. Permissions-Policy: encrypted-media
    13. Permissions-Policy: fullscreen
    14. Permissions-Policy: gamepad
    15. Permissions-Policy: geolocation
    16. Permissions-Policy: gyroscope
    17. Permissions-Policy: hid
    18. Permissions-Policy: identity-credentials-get
    19. Permissions-Policy: idle-detection
    20. Permissions-Policy: local-fonts
    21. Permissions-Policy: magnetometer
    22. Permissions-Policy: microphone
    23. Permissions-Policy: midi
    24. Permissions-Policy: otp-credentials
    25. Permissions-Policy: payment
    26. Permissions-Policy: picture-in-picture
    27. Permissions-Policy: publickey-credentials-create
    28. Permissions-Policy: publickey-credentials-get
    29. Permissions-Policy: screen-wake-lock
    30. Permissions-Policy: serial
    31. Permissions-Policy: speaker-selection
    32. Permissions-Policy: storage-access
    33. Permissions-Policy: usb
    34. Permissions-Policy: web-share
    35. Permissions-Policy: window-management
    36. Permissions-Policy: xr-spatial-tracking
  • HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be upgraded to HTTPS.

    Note: This is more secure than configuring a HTTP to HTTPS (301) redirect on your server, as the initial HTTP connection is still vulnerable to a man-in-the-middle attack.

    Header type Response header
    Forbidden request header No

    • Syntax

    http
    Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains; preload

    Directives

    max-age=<expire-time>

    The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.

    includeSubDomains Optional

    If this optional parameter is specified, this rule applies to all of the site's subdomains as well.

    preload Optional

    See Preloading Strict Transport Security for details. When using preload, the max-age directive must be at least 31536000 (1 year), and the includeSubDomains directive must be present. Not part of the specification.

    Description

    If a website accepts a connection through HTTP and redirects to HTTPS, visitors may initially communicate with the non-encrypted version of the site before being redirected, if, for example, the visitor types http://www.foo.com/ or even just foo.com. This creates an opportunity for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.

    The Strict-Transport-Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

    Note: The Strict-Transport-Security header is ignored by the browser when your site has only been accessed using HTTP. Once your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS-capable and will honor the Strict-Transport-Security header. Browsers do this as attackers may intercept HTTP connections to the site and inject or remove the header.

    Strict Transport Security example scenario

    Assume you have logged into a free Wi-Fi access point at an airport and start surfing the web, visiting your online banking service to check your balance and pay a couple of bills. Unfortunately, the access point you're using is actually a hacker's laptop, and they're intercepting your original HTTP request and redirecting you to a clone of your bank's site instead of the real thing. Now your private data is exposed to the hacker.

    Strict Transport Security resolves this problem; as long as you've accessed your bank's website once using HTTPS, and the bank's website uses Strict Transport Security, your browser will know to automatically use only HTTPS, which prevents hackers from performing this sort of man-in-the-middle attack.

    How the browser handles Strict Transport Security

    The first time a site is accessed using HTTPS and it returns the Strict-Transport-Security header, the browser records this information, so that future attempts to load the site using HTTP will automatically use HTTPS instead.

    When the expiration time specified by the Strict-Transport-Security header elapses, the next attempt to load the site via HTTP will proceed as normal instead of automatically using HTTPS.

    Whenever the Strict-Transport-Security header is delivered to the browser, it will update the expiration time for that site, so sites can refresh this information and prevent the timeout from expiring. Should it be necessary to disable Strict Transport Security, setting the max-age to 0 (over an HTTPS connection) will immediately expire the Strict-Transport-Security header, allowing access via HTTP.

    Preloading Strict Transport Security

    Google maintains an HSTS preload service. By following the guidelines and successfully submitting your domain, you can ensure that browsers will connect to your domain only via secure connections. While the service is hosted by Google, all browsers are using this preload list. However, it is not part of the HSTS specification and should not be treated as official.

    Examples

    Using Strict-Transport-Security

    All present and future subdomains will be HTTPS for a max-age of 1 year. This blocks access to pages or subdomains that can only be served over HTTP.

    http
    Strict-Transport-Security: max-age=31536000; includeSubDomains

    Although a max-age of 1 year is acceptable for a domain, two years is the recommended value as explained on https://hstspreload.org.

    In the following example, max-age is set to 2 years, and is suffixed with preload, which is necessary for inclusion in all major web browsers' HSTS preload lists, like Chromium, Edge, and Firefox.

    http
    Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

    Specifications

    Specification
    HTTP Strict Transport Security (HSTS)
    # section-6.1

    Browser compatibility

    BCD tables only load in the browser

    See also