HSTS
note
This help topic is in development and will be updated in the future.
This feature will add the required HTTP Strict Transport Security headers to the request according to the RFC 6797.
note
HSTS policy headers are ignored over an insecure HTTP connection. For HSTS to take effect, it should be served over a secure (https) connection.
When the browser receives HSTS policy headers, it will no longer attempt to connect to the server with insecure connections for the given period of time.
Usage
fun Application.main() {
// ...
install(HSTS)
// ...
}
The code above installs HSTS with the default configuration.
Configuration
maxAge
(default is 1 year): duration to tell the client to keep the host in a list of known HSTS hostsincludeSubDomains
(default is true): adds includeSubDomains directive, which applies this policy to this domain and any subdomainspreload
(default is false): consents that the policy allows including the domain into web browser preloading listcustomDirectives
(default is empty): any custom directives supported by specific user-agent