Determining if a site has implemented HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is a security mechanism used by some websites to ensure that HTTP Secure (HTTPS) is always used by visitors to the site even should some intermediate system between the visitor's browser and the website attempt a man-in-the-middle (MITM) attack to downgrade the communications protocol to the unencrypted Hypertext Transfer Protocol (HTTP). The HSTS specification was published as Request for Comments (RFC) 6797 on November 19, 2012. You can tell whether a site has implemented HSTS by establishing a telnet connection to port 80, the well-known port for HTTP connections. E.g.:

$ telnet 80
Connected to
Escape character is '^]'.

HTTP/1.1 301 Moved Permanently
Date: Wed, 06 Dec 2017 02:56:57 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
Connection: close
Content-Type: text/html; charset=iso-8859-1

Connection closed by foreign host.

In the example above, once I've connected to port 80 on the server, I use the HEAD request method to specify that I just want to see response headers. The "HTTP/1.1" specifies that I'm using HTTP version 1.1, which introduced the capability to specify a particular website when a webserver hosts multiple websites. When HTTP 1.1 is specified, the next line should be a HOST line specifying the website, in this case In the response, I see "Strict-Transport-Security: max-age=31536000; includeSubDomains". The "Strict-Transport-Security" indicates that HSTS is being used for the site and the site should always be accessed by HTTPS rather than HTTP. The original specification name was "Strict Transport Security (STS)", but that was later changed to "HTTP Strict Transport Security (HSTS)", because the specification only applies to HTTP, but the resonse header was kept as it was before, so appears as "Strict-Transport-Security". The "max-age=31536000" specifies the period in seconds for which the browser should use HTTPS; 31536000 is the number of seconds in a year, so the response indicates to the browser that it should continue to use HTTPS to access the site for the next year. The optional "includeSubDomains" directive signals to the browser that HSTS Policy applies to this HSTS host as well as any subdomains of the host's domain name. E.g., in this case, if the user put,,, etc. in the browser's address bar, then the browser would know to use HTTPS even if the user put "http://" before the domain name.