Security
HTTP Strict Transport Security
One header tells every future visitor 'always HTTPS, never HTTP, no exceptions'. Should ship everywhere; preload only after you're sure.
What it is
Strict-Transport-Security — RFC 6797. A response header that pins the browser to HTTPS for max-age seconds, with optional includeSubDomains and preload tokens.
Why it matters
Without HSTS, a single MITM during a cleartext request is enough to strip TLS for a session. With HSTS, the browser refuses to downgrade. The base header is risk-free to deploy with a short max-age while you verify.
Who it applies to
Every HTTPS site — the base header is safe, preload is the irreversible commitment.
How WQI scores it
Web Quality Index considers this standard satisfied when the supporting factor passes.
| # | Factor | Status |
|---|---|---|
| 4 | Security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, X-Content-Type-Options) | live |
Related standards
- See also
- Security headers , TLS 1.2+
Standards that share factors with this one
Auto-computed from overlapping factor tickets in satisfiedBy, excluding standards already listed under "See also" above. Strong overlap suggests these standards rise and fall together when sites are scored.
Other references
- guidance MDN — Strict-Transport-Security
- guidance OWASP — HSTS Cheat Sheet