HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites against protocol downgrade attacks and cookie hijacking. When enabled, HSTS forces browsers to interact with the server only over secure HTTPS connections, even if a user attempts to access the site via HTTP. This is achieved by the server sending a special response header (Strict-Transport-Security) that instructs the browser to enforce HTTPS for a specified duration. By eliminating insecure HTTP requests, HSTS strengthens data confidentiality and integrity across web sessions.

The minimum required LOGS version to use HSTS is 3.2.39. To activate this feature, please add the following lines to your /opt/logs/config/config_v1.yaml file and restart LOGS:

The recommended max-age value for HSTS is typically 31557600 (seconds), which equals 1 year.

This duration is widely considered best practice because it provides long-term protection without requiring frequent revalidation and aligns with browser preload requirements.

Important: Start with a shorter duration (e.g., a few days or weeks) during initial testing to avoid locking users out if there are configuration issues, then increase to 1 year once everything is stable. Be aware that HSTS settings are irreversible, so even if you deactivate them during this period, they will remain active.