You can inform your users browsers to always use the https protocol protecting them on unsecure networks.

The header informs the browser that the site should never be accessed by using only HTTP and it should convert all of those access to HTTPS requests before sending them. This prevents the user to be subject of a so called man-in-the-middle attack. If the user accidently uses a hackers network (they may mimic a public network at a hotel or similar) and visits a site using HTTP all of the users data will be exposed to the hacker. This header will make the users browser to use only HTTPS for the site even if HTTP was stated. But user have to have visit your site once before over a HTTPS connection before it is honored (how would the browser otherwise know?). If it’s important that every user is forced into the HTTPS you can sign up your site for the HSTS preload service. The following three directives can be used with this header:

  • max-age=[seconds]
  • includeSubDomains - specifies that it also applies to all subdomains, omits if not valid.
  • preload - only use if the site is intended to be added to or it is already on the HSTS preload service list

Note that when adding a header with a max-age a carefully strategy is advised. Start with a low value and ramp it up, starting up with ten minutes (600) for testing and then start increasing it after you have insured everything still works. Especially if the site is already public since all your user will get this as soon as they visit your site and if it have undesired side effects for your site it will be broken for that user up to that specified expire time.

Test to see if it’s implemented on your site:

Adding it can look like this:

<add name="Strict-Transport-Security" value="max-age=1200;includeSubDomains"/>

Read more about: How to add headers to your .net site

Previously in the Security Headers series: X-Content-Type-Options

Next up in the Security Headers series: X-XSS-Protection