{{tag>hsts apache security header hardening http https ssl encryption howto}}
====== Check HSTS Header ======
* [[https://tools.ietf.org/html/rfc6797#section-5.2|Documentation for HSTS]]
How to check the HSTS header of a Host.
===== Host without HSTS =====
curl --head -s https://www.example.com/
HTTP/2 200
accept-ranges: bytes
age: 319222
cache-control: max-age=604800
content-type: text/html; charset=UTF-8
date: Tue, 19 Jan 2021 22:57:03 GMT
etag: "3147526947"
expires: Tue, 26 Jan 2021 22:57:03 GMT
last-modified: Thu, 17 Oct 2019 07:18:26 GMT
server: ECS (nyb/1D1E)
x-cache: HIT
content-length: 1256
===== Host with HSTS =====
curl --head -s https://www.sdk.de/
HTTP/1.1 200 OK
Date: Tue, 19 Jan 2021 22:56:20 GMT
Server: Apache
Content-Language: de
Expires: Wed, 20 Jan 2021 15:32:32 GMT
Cache-Control: max-age=59772
Pragma: public
Strict-Transport-Security: max-age=16070400; includeSubDomains
Vary: Host,User-Agent
Content-Security-Policy: img-src 'self' data: app.usercentrics.eu maps.googleapis.com www.facebook.com www.youtube.com www.google.com google.com *.google.com www.google.de google.de *.google.de rtclauncher.luware.com rtclauncherapi.luware.com maps.gstatic.com *.ressourcenmangel.de ressourcenmangel.de *.google-analytics.com google-analytics.com maps.google.com *.googletagmanager.com googletagmanager.com googleadservices.com googleusercontent.com *.etracker.com etracker.com *.etracker.de etracker.de stats.g.doubleclick.net; script-src 'self' tagmanager.google.com www.google.de app.usercentrics.eu www.youtube.com s.ytimg.com maps.googleapis.com 'unsafe-inline' 'unsafe-eval' www.facebook.com connect.facebook.net www.google.com rtclauncher.luware.com maps.gstatic.com *.freegeoip.net freegeoip.net app.usercentrics.eu *.googletagmanager.com googletagmanager.com *.etracker.com etracker.com *.etracker.de etracker.de maps.googleapis.com maps.google.com *.google-analytics.com google-analytics.com *.gstatic.com gstatic.com;
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade
X-UA-Compatible: IE=edge
X-Content-Type-Options: nosniff
X-Frame-Options: ALLOWALL
Content-Type: text/html; charset=utf-8
curl --head -s https://www.sdk.de/ | grep Strict
Strict-Transport-Security: max-age=16070400; includeSubDomains
----
~~DISCUSSION~~