List of Security Headers

HTTP Strict Transport Security (HSTS)

Response server header that Instruct the browser to always use HTTPS instead of HTTP during interaction with the web application. This header prevents Man-in-the-Middle attack.

A proper implementation of the HSTS header should include the following parameters:

includeSubDomains: The Strict Transport Security policy should be applied to all subdomains. Each subdomains for a specific domain should not have their own HSTS policy. For example, the same HSTS policy should be enforced for:

• example.com

• www.example.com

• hr.example.com

max-age: Time (in sec) that the browser will remember that the site should only be accessed via HTTPS.

Redirect 301 from HTTP to HTTPS should not be a replacement for the presence of the HSTS header.