What Is HTTP Strict Transport Security (HSTS)?
A security header that tells browsers to only connect to your website over HTTPS. Once a browser receives the HSTS header, it will automatically convert all future HTTP requests to HTTPS for the specified duration, preventing protocol downgrade attacks and cookie hijacking.
In Laravel Applications
Set the HSTS header in Laravel middleware: $response->headers->set("Strict-Transport-Security", "max-age=31536000; includeSubDomains"). Also force HTTPS in production with URL::forceScheme("https") in your AppServiceProvider.
Example
Without HSTS, an attacker on a public WiFi network could intercept the initial HTTP request to your site and redirect the user to a fake version. With HSTS, the browser refuses to connect over HTTP.
Related Terms
Security Headers
HTTP response headers that instruct browsers how to handle your website's content securely. They protect against common attacks like cross-site scripting (XSS), clickjacking, and protocol downgrade attacks by telling the browser what actions are allowed.
SSL/TLS
Cryptographic protocols that provide encrypted communication between a client (browser) and server. SSL (Secure Sockets Layer) is the predecessor to TLS (Transport Layer Security). TLS 1.2 and 1.3 are the current standards. These protocols ensure data transmitted between users and your application cannot be intercepted or modified.
Man-in-the-Middle Attack (MITM)
An attack where an adversary secretly intercepts and potentially modifies communication between two parties who believe they are communicating directly with each other. The attacker can read, inject, or alter data in transit.
Monitor Your Laravel Application's Security
StackShield continuously checks your Laravel application from the outside, catching security issues before attackers find them.
Start Free Trial