Strict Transport Security

Published: by Creative Commons Licence

Time to read: Less than 1 minute

Have you ever wondered why your Webbrowser keeps changing your explicitly entered http URLs to https after removing forwarding rules to enforce HTTPS?

Then maybe your server is configured with HTTP Strict Transport Security (HSTS) which is a server side web security feature that tells calling web agents always to use HTTPS and remap every HTTP request to HTTPS.

You can simply check a HTTP response for any HTTPS request to your server. Watch out for Strict-Transport-Security and maybe you will find a header maybe that might look similar to the following example:

Strict-Transport-Security: max-age=31536000; includeSubdomains

It tells web agents to remember for 3153600 seconds (1 year) that they must send requests to the current domain (including it’s subdomains) as HTTPS requests. Web agents then will rewrite each HTTP requests to HTTPS requests.

As a general rule you can fix the problem during your server reconfiguration sessions by cleaning your browser history for the concerned domain.