Internet Engineering Task Force (IETF) J. Hodges
Request for Comments: 6797 PayPal
Category: Standards Track C. Jackson
ISSN: 2070-1721 Carnegie Mellon University
A. Barth
Google, Inc.
November 2012
HTTP Strict Transport Security (HSTS)
Abstract
This specification defines a mechanism enabling web sites to declare
themselves accessible only via secure connections and/or for users to
be able to direct their user agent(s) to interact with given sites
only over secure connections. This overall policy is referred to as
HTTP Strict Transport Security (HSTS). The policy is declared by web
sites via the Strict-Transport-Security HTTP response header field
and/or by other means, such as user agent configuration, for example.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6797.
Hodges, et al. Standards Track [Page 1]
RFC 6797 HTTP Strict Transport Security (HSTS) November 2012
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................4
1.1. Organization of This Specification .........................6
1.2. Document Conventions .......................................6
2. Overview ........................................................6
2.1. Use Cases ..................................................6
2.2. HTTP Strict Transport Security Policy Effects ..............6
2.3. Threat Model ...............................................6
2.3.1. Threats Addressed ...................................7
2.3.1.1. Passive Network Attackers ..................7
2.3.1.2. Active Network Attackers ...................7
2.3.1.3. Web Site Development and Deployment Bugs ...8
2.3.2. Threats Not Addressed ...............................8
2.3.2.1. Phishing ...................................8
2.3.2.2. Malware and Browser Vulnerabilities ........8
2.4. Requirements ...............................................9
2.4.1. Overall Requirement .................................9
2.4.1.1. Detailed Core Requirements .................9
2.4.1.2. Detailed Ancillary Requirements ...........10
3. Conformance Criteria ...........................................10
4. Terminology ....................................................11
5. HSTS Mechanism Overview ........................................13
5.1. HSTS Host Declaration .....................................13
5.2. HSTS Policy ...............................................13
5.3. HSTS Policy Storage and Maintenance by User Agents ........14
5.4. User Agent HSTS Policy Enforcement ........................14
6. Syntax .........................................................14
6.1. Strict-Transport-Security HTTP Response Header Field ......15
6.1.1. The max-age Directive ..............................16
6.1.2. The includeSubDomains Directive ....................16
6.2. Examples ..................................................16
Hodges, et al. Standards Track [Page 2]
RFC 6797 HTTP Strict Transport Security (HSTS) November 2012
7. Server Processing Model ........................................17
7.1. HTTP-over-Secure-Transport Request Type ...................17
7.2. HTTP Request Type .........................................18
8. User Agent Processing Model ....................................18
8.1. Strict-Transport-Security Response Header Field
Processing ................................................19
8.1.1. Noting an HSTS Host - Storage Model ................20
8.2. Known HSTS Host Domain Name Matching ......................20
8.3. URI Loading and Port Mapping ..............................21
8.4. Errors in Secure Transport Establishment ..................22
8.5. HTTP-Equiv <Meta> Element Attribute .......................22
8.6. Missing Strict-Transport-Security Response Header Field ...23
9. Constructing an Effective Request URI ..........................23
9.1. ERU Fundamental Definitions ...............................23
9.2. Determining the Effective Request URI .....................24
9.2.1. Effective Request URI Examples .....................24
10. Domain Name IDNA-Canonicalization .............................25
11. Server Implementation and Deployment Advice ...................26
11.1. Non-Conformant User Agent Considerations .................26
11.2. HSTS Policy Expiration Time Considerations ...............26
11.3. Using HSTS in Conjunction with Self-Signed Public-Key
Certificates .............................................27
11.4. Implications of includeSubDomains ........................28
11.4.1. Considerations for Offering Unsecured HTTP
Services at Alternate Ports or Subdomains of an
HSTS Host ........................................28
11.4.2. Considerations for Offering Web Applications at
Subdomains of an HSTS Host .......................29
12. User Agent Implementation Advice ..............................30
12.1. No User Recourse .........................................30
12.2. User-Declared HSTS Policy ................................30
12.3. HSTS Pre-Loaded List .....................................31
12.4. Disallow Mixed Security Context Loads ....................31
12.5. HSTS Policy Deletion .....................................31
13. Internationalized Domain Names for Applications (IDNA):
Dependency and Migration ......................................32
Hodges, et al. Standards Track [Page 3]
RFC 6797 HTTP Strict Transport Security (HSTS) November 2012
14. Security Considerations .......................................32
14.1. Underlying Secure Transport Considerations ...............32
14.2. Non-Conformant User Agent Implications ...................33
14.3. Ramifications of HSTS Policy Establishment Only over
Error-Free Secure Transport ..............................33
14.4. The Need for includeSubDomains ...........................34
14.5. Denial of Service ........................................35
14.6. Bootstrap MITM Vulnerability .............................36
14.7. Network Time Attacks .....................................37
14.8. Bogus Root CA Certificate Phish plus DNS Cache
Poisoning Attack .........................................37
14.9. Creative Manipulation of HSTS Policy Store ...............37
14.10. Internationalized Domain Names ..........................38
15. IANA Considerations ...........................................39
16. References ....................................................39
16.1. Normative References .....................................39
16.2. Informative References ...................................40
Appendix A. Design Decision Notes .................................44
Appendix B. Differences between HSTS Policy and Same-Origin
Policy ................................................45
Appendix C. Acknowledgments .......................................46
1. Introduction
HTTP [RFC2616] may be used over various transports, typically the
Transmission Control Protocol (TCP). However, TCP does not provide
channel integrity protection, confidentiality, or secure host
identification. Thus, the Secure Sockets Layer (SSL) protocol
[RFC6101] and its successor, Transport Layer Security (TLS) [RFC5246]
were developed in order to provide channel-oriented security and are
typically layered between application protocols and TCP. [RFC2818]
specifies how HTTP is layered onto TLS and defines the Uniform
Resource Identifier (URI) scheme of "https" (in practice, however,
HTTP user agents (UAs) typically use either TLS or SSL3, depending
upon a combination of negotiation with the server and user
preferences).
UAs employ various local security policies with respect to the
characteristics of their interactions with web resources, depending
on (in part) whether they are communicating with a given web
resource's host using HTTP or HTTP-over-Secure-Transport. For
example, cookies ([RFC6265]) may be flagged as Secure. UAs are to
send such Secure cookies to their addressed host only over a secure
transport. This is in contrast to non-Secure cookies, which are
returned to the host regardless of transport (although subject to
other rules).
Hodges, et al. Standards Track [Page 4]
RFC 6797 HTTP Strict Transport Security (HSTS) November 2012
UAs typically announce to their users any issues with secure
connection establishment, such as being unable to validate a TLS
server certificate trust chain, or if a TLS server certificate is
expired, or if a TLS host's domain name appears incorrectly in the
TLS server certificate (see Section 3.1 of [RFC2818]). Often, UAs
enable users to elect to continue to interact with a web resource's
host in the face of such issues. This behavior is sometimes referred
to as "click(ing) through" security [GoodDhamijaEtAl05]
[SunshineEgelmanEtAl09]; thus, it can be described as "click-through
insecurity".
A key vulnerability enabled by click-through insecurity is the
leaking of any cookies the web resource may be using to manage a
user's session. The threat here is that an attacker could obtain the
cookies and then interact with the legitimate web resource while
impersonating the user.
Jackson and Barth proposed an approach, in [ForceHTTPS], to enable
web resources to declare that any interactions by UAs with the web
resource must be conducted securely and that any issues with
establishing a secure transport session are to be treated as fatal
and without direct user recourse. The aim is to prevent click-
through insecurity and address other potential threats.
This specification embodies and refines the approach proposed in
[ForceHTTPS]. For example, rather than using a cookie to convey
policy from a web resource's host to a UA, it defines an HTTP
response header field for this purpose. Additionally, a web
resource's host may declare its policy to apply to the entire domain
name subtree rooted at its host name. This enables HTTP Strict
Transport Security (HSTS) to protect so-called "domain cookies",
which are applied to all subdomains of a given web resource's host
name.
This specification also incorporates notions from [JacksonBarth2008]
in that policy is applied on an "entire-host" basis: it applies to
HTTP (only) over any TCP port of the issuing host.
Note that the policy defined by this specification is distinctly
different than the "same-origin policy" defined in "The Web Origin
Concept" [RFC6454]. These differences are summarized in Appendix B.
Hodges, et al. Standards Track [Page 5]
RFC 6797 HTTP Strict Transport Security (HSTS) November 2012
1.1. Organization of This Specification
This specification begins with an overview of the use cases, policy
effects, threat models, and requirements for HSTS (in Section 2).
Then, Section 3 defines conformance requirements. Section 4 defines
terminology relevant to this document. The HSTS mechanism itself is
formally specified in Sections 5 through 15.
1.2. Document Conventions
NOTE: This is a note to the reader. These are points that should be
expressly kept in mind and/or considered.
2. Overview
This section discusses the use cases, summarizes the HSTS Policy, and
continues with a discussion of the threat model, non-addressed
threats, and derived requirements.
2.1. Use Cases
The high-level use case is a combination of:
o Web browser user wishes to interact with various web sites (some
arbitrary, some known) in a secure fashion.
o Web site deployer wishes to offer their site in an explicitly
secure fashion for their own, as well as their users', benefit.
2.2. HTTP Strict Transport Security Policy Effects
The effects of the HSTS Policy, as applied by a conformant UA in
interactions with a web resource host wielding such policy (known as
an HSTS Host), are summarized as follows:
1. UAs transform insecure URI references to an HSTS Host into secure
URI references before dereferencing them.
2. The UA terminates any secure transport connection attempts upon
any and all secure transport errors or warnings.
2.3. Threat Model
HSTS is concerned with three threat classes: passive network
attackers, active network attackers, and imperfect web developers.
However, it is explicitly not a remedy for two other classes of
threats: phishing and malware. Threats that are addressed, as well
as threats that are not addressed, are briefly discussed below.
Hodges, et al. Standards Track [Page 6]
RFC 6797 HTTP Strict Transport Security (HSTS) November 2012
Readers may wish to refer to Section 2 of [ForceHTTPS] for details as
well as relevant citations.
2.3.1. Threats Addressed
2.3.1.1. Passive Network Attackers
When a user browses the web on a local wireless network (e.g., an
802.11-based wireless local area network) a nearby attacker can
possibly eavesdrop on the user's unencrypted Internet Protocol-based
connections, such as HTTP, regardless of whether or not the local
wireless network itself is secured [BeckTews09]. Freely available
wireless sniffing toolkits (e.g., [Aircrack-ng]) enable such passive
eavesdropping attacks, even if the local wireless network is
operating in a secure fashion. A passive network attacker using such
tools can steal session identifiers/cookies and hijack the user's web
session(s) by obtaining cookies containing authentication credentials
[ForceHTTPS]. For example, there exist widely available tools, such
as Firesheep (a web browser extension) [Firesheep], that enable their
wielder to obtain other local users' session cookies for various web
applications.
To mitigate such threats, some web sites support, but usually do not
force, access using end-to-end secure transport -- e.g., signaled
through URIs constructed with the "https" scheme [RFC2818]. This can
lead users to believe that accessing such services using secure
transport protects them from passive network attackers.
Unfortunately, this is often not the case in real-world deployments,
as session identifiers are often stored in non-Secure cookies to
permit interoperability with versions of the service offered over
insecure transport ("Secure cookies" are those cookies containing the
"Secure" attribute [RFC6265]). For example, if the session
identifier for a web site (an email service, say) is stored in a
non-Secure cookie, it permits an attacker to hijack the user's
session if the user's UA makes a single insecure HTTP request to the
site.
2.3.1.2. Active Network Attackers
A determined attacker can mount an active attack, either by
impersonating a user's DNS server or, in a wireless network, by
spoofing network frames or offering a similarly named evil twin
access point. If the user is behind a wireless home router, an
attacker can attempt to reconfigure the router using default
passwords and other vulnerabilities. Some sites, such as banks, rely
on end-to-end secure transport to protect themselves and their users
from such active attackers. Unfortunately, browsers allow their
users to easily opt out of these protections in order to be usable
Hodges, et al. Standards Track [Page 7]
RFC 6797 HTTP Strict Transport Security (HSTS) November 2012
for sites that incorrectly deploy secure transport, for example by
generating and self-signing their own certificates (without also
distributing their certification authority (CA) certificate to their
users' browsers).
2.3.1.3. Web Site Development and Deployment Bugs
The security of an otherwise uniformly secure site (i.e., all of its
content is materialized via "https" URIs) can be compromised
completely by an active attacker exploiting a simple mistake, such as
the loading of a cascading style sheet or a SWF (Shockwave Flash)
movie over an insecure connection (both cascading style sheets and
SWF movies can script the embedding page, to the surprise of many web
developers, plus some browsers do not issue so-called "mixed content
warnings" when SWF files are embedded via insecure connections).
Even if the site's developers carefully scrutinize their login page
for "mixed content", a single insecure embedding anywhere on the
overall site compromises the security of their login page because an
attacker can script (i.e., control) the login page by injecting code
(e.g., a script) into another, insecurely loaded, site page.
NOTE: "Mixed content" as used above (see also Section 5.3 in
[W3C.REC-wsc-ui-20100812]) refers to the notion termed "mixed
security context" in this specification and should not be
confused with the same "mixed content" term used in the
context of markup languages such as XML and HTML.
2.3.2. Threats Not Addressed
2.3.2.1. Phishing
Phishing attacks occur when an attacker solicits authentication
credentials from the user by hosting a fake site located on a
different domain than the real site, perhaps driving traffic to the
fake site by sending a link in an email message. Phishing attacks
can be very effective because users find it difficult to distinguish
the real site from a fake site. HSTS is not a defense against
phishing per se; rather, it complements many existing phishing
defenses by instructing the browser to protect session integrity and
long-lived authentication tokens [ForceHTTPS].
2.3.2.2. Malware and Browser Vulnerabilities
Because HSTS is implemented as a browser security mechanism, it
relies on the trustworthiness of the user's system to protect the
session. Malicious code executing on the user's system can
compromise a browser session, regardless of whether HSTS is used.
Hodges, et al. Standards Track [Page 8]
RFC 6797 HTTP Strict Transport Security (HSTS) November 2012
2.4. Requirements
This section identifies and enumerates various requirements derived
from the use cases and the threats discussed above and also lists the
detailed core requirements that HTTP Strict Transport Security
addresses, as well as ancillary requirements that are not directly
addressed.
2.4.1. Overall Requirement
o Minimize, for web browser users and web site deployers, the risks
that are derived from passive and active network attackers, web
site development and deployment bugs, and insecure user actions.
2.4.1.1. Detailed Core Requirements
These core requirements are derived from the overall requirement and
are addressed by this specification.
1. Web sites need to be able to declare to UAs that they should be
accessed using a strict security policy.
2. Web sites need to be able to instruct UAs that contact them
insecurely to do so securely.
3. UAs need to retain persistent data about web sites that signal
strict security policy enablement, for time spans declared by the
web sites. Additionally, UAs need to cache the "freshest" strict
security policy information, in order to allow web sites to
update the information.
4. UAs need to rewrite all insecure UA "http" URI loads to use the
"https" secure scheme for those web sites for which secure policy
is enabled.
5. Web site administrators need to be able to signal strict security
policy application to subdomains of higher-level domains for
which strict security policy is enabled, and UAs need to enforce
such policy.
For example, both example.com and foo.example.com could set
policy for bar.foo.example.com.
Hodges, et al. Standards Track [Page 9]
RFC 6797 HTTP Strict Transport Security (HSTS) November 2012
6. UAs need to disallow security policy application to peer domains,
and/or higher-level domains, by domains for which strict security
policy is enabled.
For example, neither bar.foo.example.com nor foo.example.com can
set policy for example.com, nor can bar.foo.example.com set
policy for foo.example.com. Also, foo.example.com cannot set
policy for sibling.example.com.
7. UAs need to prevent users from "clicking through" security
warnings. Halting connection attempts in the face of secure
transport exceptions is acceptable. See also Section 12.1 ("No
User Recourse").
NOTE: A means for uniformly securely meeting the first core
requirement above is not specifically addressed by this
specification (see Section 14.6 ("Bootstrap MITM
Vulnerability")). It may be addressed by a future revision of
this specification or some other specification. Note also
that there are means by which UA implementations may more
fully meet the first core requirement; see Section 12 ("User
Agent Implementation Advice").
2.4.1.2. Detailed Ancillary Requirements
These ancillary requirements are also derived from the overall
requirement. They are not normatively addressed in this
specification but could be met by UA implementations at their
implementor's discretion, although meeting these requirements may be
complex.
1. Disallow "mixed security context" loads (see Section 2.3.1.3).
2. Facilitate user declaration of web sites for which strict
security policy is enabled, regardless of whether the sites
signal HSTS Policy.
3. Conformance Criteria
This specification is written for hosts and user agents.
A conformant host is one that implements all the requirements listed
in this specification that are applicable to hosts.
A conformant user agent is one that implements all the requirements
listed in this specification that are applicable to user agents.
Hodges, et al. Standards Track [Page 10]
RFC 6797 HTTP Strict Transport Security (HSTS) November 2012
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
4. Terminology
Terminology is defined in this section.
ASCII case-insensitive comparison:
means comparing two strings exactly, codepoint for codepoint,
except that the characters in the range U+0041 .. U+005A (i.e.,
LATIN CAPITAL LETTER A to LATIN CAPITAL LETTER Z) and the
corresponding characters in the range U+0061 .. U+007A (i.e.,
LATIN SMALL LETTER A to LATIN SMALL LETTER Z) are considered to
also match. See [Unicode] for details.
codepoint:
is a colloquial contraction of Code Point, which is any value in
the Unicode codespace; that is, the range of integers from 0 to
10FFFF(hex) [Unicode].
domain name:
is also referred to as "DNS name" and is defined in [RFC1035] to
be represented outside of the DNS protocol itself (and
implementations thereof) as a series of labels separated by dots,
e.g., "example.com" or "yet.another.example.org". In the context
of this specification, domain names appear in that portion of a
URI satisfying the reg-name production in "Appendix A. Collected
ABNF for URI" in [RFC3986], and the host component from the Host
HTTP header field production in Section 14.23 of [RFC2616].
NOTE: The domain names appearing in actual URI instances and
matching the aforementioned production components may or
may not be a fully qualified domain name.
domain name label:
is that portion of a domain name appearing "between the dots",
i.e., consider "foo.example.com": "foo", "example", and "com" are
all domain name labels.
Hodges, et al. Standards Track [Page 11]
RFC 6797 HTTP Strict Transport Security (HSTS) November 2012
Effective Request URI:
is a URI, identifying the target resource, that can be inferred by
an HTTP host for any given HTTP request it receives. Such
inference is necessary because HTTP requests often do not contain
a complete "absolute" URI identifying the target resource. See
Section 9 ("Constructing an Effective Request URI").
HTTP Strict Transport Security:
is the overall name for the combined UA- and server-side security
policy defined by this specification.
HTTP Strict Transport Security Host:
is a conformant host implementing the HTTP server aspects of the
HSTS Policy. This means that an HSTS Host returns the
"Strict-Transport-Security" HTTP response header field in its HTTP
response messages sent over secure transport.
HTTP Strict Transport Security Policy:
is the name of the combined overall UA- and server-side facets of
the behavior defined in this specification.
HSTS:
See HTTP Strict Transport Security.
HSTS Host:
See HTTP Strict Transport Security Host.
HSTS Policy:
See HTTP Strict Transport Security Policy.
Known HSTS Host:
is an HSTS Host for which the UA has an HSTS Policy in effect;
i.e., the UA has noted this host as a Known HSTS Host. See
Section 8.1.1 ("Noting an HSTS Host - Storage Model") for
particulars.
Local policy:
comprises policy rules that deployers specify and that are often
manifested as configuration settings.
Hodges, et al. Standards Track [Page 12]
RFC 6797 HTTP Strict Transport Security (HSTS) November 2012
MITM:
is an acronym for "man in the middle". See "man-in-the-middle
attack" in [RFC4949].
Request URI:
is the URI used to cause a UA to issue an HTTP request message.
See also "Effective Request URI".
UA:
is an acronym for "user agent". For the purposes of this
specification, a UA is an HTTP client application typically
actively manipulated by a user [RFC2616].
unknown HSTS Host:
is an HSTS Host that the user agent has not noted.
5. HSTS Mechanism Overview
This section provides an overview of the mechanism by which an HSTS
Host conveys its HSTS Policy to UAs and how UAs process the HSTS
Policies received from HSTS Hosts. The mechanism details are
specified in Sections 6 through 15.
5.1. HSTS Host Declaration
An HTTP host declares itself an HSTS Host by issuing to UAs an HSTS
Policy, which is represented by and conveyed via the
Strict-Transport-Security HTTP response header field over secure
transport (e.g., TLS). Upon error-free receipt and processing of
this header by a conformant UA, the UA regards the host as a Known
HSTS Host.
5.2. HSTS Policy
An HSTS Policy directs UAs to communicate with a Known HSTS Host only
over secure transport and specifies policy retention time duration.
HSTS Policy explicitly overrides the UA processing of URI references,
user input (e.g., via the "location bar"), or other information that,
in the absence of HSTS Policy, might otherwise cause UAs to
communicate insecurely with the Known HSTS Host.
Hodges, et al. Standards Track [Page 13]
RFC 6797 HTTP Strict Transport Security (HSTS) November 2012
An HSTS Policy may contain an optional directive -- includeSubDomains
-- specifying that this HSTS Policy also applies to any hosts whose
domain names are subdomains of the Known HSTS Host's domain name.
5.3. HSTS Policy Storage and Maintenance by User Agents
UAs store and index HSTS Policies based strictly upon the domain
names of the issuing HSTS Hosts.
This means that UAs will maintain the HSTS Policy of any given HSTS
Host separately from any HSTS Policies issued by any other HSTS Hosts
whose domain names are superdomains or subdomains of the given HSTS
Host's domain name. Only the given HSTS Host can update or can cause
deletion of its issued HSTS Policy. It accomplishes this by sending
Strict-Transport-Security HTTP response header fields to UAs with new
values for policy time duration and subdomain applicability. Thus,
UAs cache the "freshest" HSTS Policy information on behalf of an HSTS
Host. Specifying a zero time duration signals the UA to delete the
HSTS Policy (including any asserted includeSubDomains directive) for
that HSTS Host. See Section 8.1 ("Strict-Transport-Security Response
Header Field Processing") for details. Additionally, Section 6.2
presents examples of Strict-Transport-Security HTTP response header
fields.
5.4. User Agent HSTS Policy Enforcement
When establishing an HTTP connection to a given host, however
instigated, the UA examines its cache of Known HSTS Hosts to see if
there are any with domain names that are superdomains of the given
host's domain name. If any are found, and of those if any have the
includeSubDomains directive asserted, then HSTS Policy applies to the
given host. Otherwise, HSTS Policy applies to the given host only if
the given host is itself known to the UA as an HSTS Host. See
Section 8.3 ("URI Loading and Port Mapping") for details.
6. Syntax
This section defines the syntax of the Strict-Transport-Security HTTP
response header field and its directives, and presents some examples.
Section 7 ("Server Processing Model") then details how hosts employ
this header field to declare their HSTS Policy, and Section 8 ("User
Agent Processing Model") details how user agents process the header
field and apply the HSTS Policy.
Hodges, et al. Standards Track [Page 14]
RFC 6797 HTTP Strict Transport Security (HSTS) November 2012
6.1. Strict-Transport-Security HTTP Response Header Field
The Strict-Transport-Security HTTP response header field (STS header
field) indicates to a UA that it MUST enforce the HSTS Policy in
regards to the host emitting the response message containing this
header field.
The ABNF (Augmented Backus-Naur Form) syntax for the STS header field
is given below. It is based on the Generic Grammar defined in
Section 2 of [RFC2616] (which includes a notion of "implied linear
whitespace", also known as "implied *LWS").
Strict-Transport-Security = "Strict-Transport-Security" ":"
[ directive ] *( ";" [ directive ] )
directive = directive-name [ "=" directive-value ]
directive-name = token
directive-value = token | quoted-string
where:
token = <token, defined in [RFC2616], Section 2.2>
quoted-string = <quoted-string, defined in [RFC2616], Section 2.2>
The two directives defined in this specification are described below.
The overall requirements for directives are:
1. The order of appearance of directives is not significant.
2. All directives MUST appear only once in an STS header field.
Directives are either optional or required, as stipulated in
their definitions.
3. Directive names are case-insensitive.
4. UAs MUST ignore any STS header field containing directives, or
other header field value data, that does not conform to the
syntax defined in this specification.
5. If an STS header field contains directive(s) not recognized by
the UA, the UA MUST ignore the unrecognized directives, and if
the STS header field otherwise satisfies the above requirements
(1 through 4), the UA MUST process the recognized directives.
Additional directives extending the semantic functionality of the STS
header field can be defined in other specifications, with a registry
(having an IANA policy definition of IETF Review [RFC5226]) defined
for them at such time.
Hodges, et al. Standards Track [Page 15]
RFC 6797 HTTP Strict Transport Security (HSTS) November 2012
NOTE: Such future directives will be ignored by UAs implementing
only this specification, as well as by generally
non-conforming UAs. See Section 14.2 ("Non-Conformant User
Agent Implications") for further discussion.
6.1.1. The max-age Directive
The REQUIRED "max-age" directive specifies the number of seconds,
after the reception of the STS header field, during which the UA
regards the host (from whom the message was received) as a Known HSTS
Host. See also Section 8.1.1 ("Noting an HSTS Host - Storage
Model"). The delta-seconds production is specified in [RFC2616].
The syntax of the max-age directive's REQUIRED value (after
quoted-string unescaping, if necessary) is defined as:
max-age-value = delta-seconds
delta-seconds = <1*DIGIT, defined in [RFC2616], Section 3.3.2>
NOTE: A max-age value of zero (i.e., "max-age=0") signals the UA to
cease regarding the host as a Known HSTS Host, including the
includeSubDomains directive (if asserted for that HSTS Host).
See also Section 8.1 ("Strict-Transport-Security Response
Header Field Processing").
6.1.2. The includeSubDomains Directive
The OPTIONAL "includeSubDomains" directive is a valueless directive
which, if present (i.e., it is "asserted"), signals the UA that the
HSTS Policy applies to this HSTS Host as well as any subdomains of
the host's domain name.
6.2. Examples
The HSTS header field below stipulates that the HSTS Policy is to
remain in effect for one year (there are approximately 31536000
seconds in a year), and the policy applies only to the domain of the
HSTS Host issuing it:
Strict-Transport-Security: max-age=31536000
The HSTS header field below stipulates that the HSTS Policy is to
remain in effect for approximately six months and that the policy
applies to the domain of the issuing HSTS Host and all of its
subdomains:
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Hodges, et al. Standards Track [Page 16]
RFC 6797 HTTP Strict Transport Security (HSTS) November 2012
The max-age directive value can optionally be quoted:
Strict-Transport-Security: max-age="31536000"
The HSTS header field below indicates that the UA must delete the
entire HSTS Policy associated with the HSTS Host that sent the header
field:
Strict-Transport-Security: max-age=0
The HSTS header field below has exactly the same effect as the one
immediately above because the includeSubDomains directive's presence
in the HSTS header field is ignored when max-age is zero:
Strict-Transport-Security: max-age=0; includeSubDomains
7. Server Processing Model
This section describes the processing model that HSTS Hosts
implement. The model comprises two facets: the first being the
processing rules for HTTP request messages received over a secure
transport (TLS [RFC5246] or SSL [RFC6101]; see also Section 14.1
("Underlying Secure Transport Considerations")), and the second being
the processing rules for HTTP request messages received over
non-secure transports, such as TCP.
7.1. HTTP-over-Secure-Transport Request Type
When replying to an HTTP request that was conveyed over a secure
transport, an HSTS Host SHOULD include in its response message an STS
header field that MUST satisfy the grammar specified above in
Section 6.1 ("Strict-Transport-Security HTTP Response Header Field").
If an STS header field is included, the HSTS Host MUST include only
one such header field.
Establishing a given host as a Known HSTS Host, in the context of a
given UA, MAY be accomplished over HTTP, which is in turn running
over secure transport, by correctly returning (per this
specification) at least one valid STS header field to the UA. Other
mechanisms, such as a client-side pre-loaded Known HSTS Host list,
MAY also be used; e.g., see Section 12 ("User Agent Implementation
Advice").
NOTE: Including the STS header field is stipulated as a "SHOULD" in
order to accommodate various server- and network-side caches
and load-balancing configurations where it may be difficult to
uniformly emit STS header fields on behalf of a given HSTS
Host.
Hodges, et al. Standards Track [Page 17]
RFC 6797 HTTP Strict Transport Security (HSTS) November 2012