HTTP Strict Transport Security

The HSTS Policy is communicated by the server to the user agent via an HTTP response header field named Strict-Transport-Security.

HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion.

[4] The HTTP response header field defined in the HSTS specification however remains named "Strict-Transport-Security".

[5] The original draft specification by Jeff Hodges from PayPal, Collin Jackson, and Adam Barth was published on 18 September 2009.

[6] The HSTS specification is based on original work by Jackson and Barth as described in their paper "ForceHTTPS: Protecting High-Security Web Sites from Network Attacks".

The most important security vulnerability that HSTS can fix is SSL-stripping man-in-the-middle attacks, first publicly introduced by Moxie Marlinspike in his 2009 BlackHat Federal talk "New Tricks For Defeating SSL In Practice".

Additionally, no warnings are presented to the user during the downgrade process, making the attack fairly subtle to all but the most vigilant.

Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge attempt to limit this problem by including a "pre-loaded" list of HSTS sites.

HSTS can also help to prevent having one's cookie-based website login credentials stolen by widely available tools such as Firesheep.

Settings page Security within Chromium 45, showing the status of the security policy for the domain "en.wikipedia.org".
Settings page for HTTPS Strict Transport Security within Chromium 45, showing the status of the security policy for the domain "en.wikipedia.org".