HTTP Strict Transport Security

Its role is that for some sites, when the user enters the browser without the protocol URL, the automatic recognition protocol is HTTPS, not http.

For example, when a user enters paypal.com, the browser automatically accesses https://paypal.com instead of http://paypal.com. Of course, even if your browser does not support Hsts,paypal, it will automatically jump to HTTPS.

So how to let your site support hsts it. Just in the HTTP header of your site's HTTPS response, add the following line

strict-transport-security:max-age=16070400; Includesubdomains

When the browser sees the HTTP header, the current site is added to the HSTs list. The role of Max-age and includesubdomains you know.

According to Chrome, there are Chrome and Firefox (version >=4) that currently support HSTs, and I'm not testing it.

In addition, Chrome has a default HSTs list, PayPal.com, lastpass.com, market.android.com and other sites are listed inside. The current (CHROME16) list is hard-coded in Chrome's source code (http://src.chromium.org/viewvc/chrome/trunk/src/net/base/transport_security_ State.cc?view=log). You might want to share this list with different browsers in the future like safe-browsing.

If you want to add your site to this list of chrome, you can email

In fact, most of the security requirements of the site, will be in the server-side automatic recognition protocol, force jump to HTTPS. For these sites, the role of HSTs is only to make you one less HTTP request. In some cases, because of the Set-cookie, browser version, and security settings, this HTTP sends the Cookie set under HTTPS, which is a security risk. In addition, HSTs seems to have little effect.

In addition I looked, Alipay is not sent Strict-transport-security head. and PayPal and LastPass sent this head.