What is the HTTP response header "Strict-Transport-Security", and why it is important?

The HTTP response header "Strict-Transport-Security", often abbreviated as HSTS, is a small but powerful mechanism for improving the security of web applications. It instructs browsers to access a site only using HTTPS, even if the user tries to use plain HTTP.

The idea is simple: once a browser receives this header, it remembers that the site should always be accessed securely for a certain period of time. The header looks like this:

Strict-Transport-Security: max-age=31536000; includeSubDomains

The "max-age" value defines how long, in seconds, the rule remains valid. In the example above, it's one year (31,536,000 seconds). The optional "includeSubDomains" flag tells browsers to apply the same rule to all subdomains as well.

This helps protect users from "protocol downgrade" attacks, where someone tries to trick the browser into connecting over plain HTTP, exposing cookies or credentials in transit. With HSTS enabled, the browser refuses to make that insecure request.

The HSTS header is specified in RFC 6797.

In ASP.NET, you can easily add this header to your application by editing the "web.config" file or using middleware in ASP.NET Core:

// for ASP.NET Core
app.UseHsts();

Once HSTS is in place, make sure your HTTPS configuration is also correct. Otherwise, users might get locked out until the "max-age" period expires. For new sites, it's a good idea to start with a small duration (like an hour or two) and then increase it once you've verified everything works.

The header is small, but its impact is big. Many browsers even maintain a "preload list" of known HSTS sites, meaning the browser enforces HTTPS from the very first visit. It's a simple step toward a safer web and well worth including in any production site you write.