When implementing the HTTPS protocol, the website mostly continue to support the HTTP protocol to redirect users to HTTPS when they request a HTTP version of the website. These redirects are not encrypted and are therefore vulnerable to man in the middle attacks. The https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security[Strict-Transport-Security policy header] (HSTS) set by an application instructs the web browser to convert any HTTP request to HTTPS.


Web browsers that see the Strict-Transport-Security policy header for the first time record information specified in the header:

* the ``++max-age++`` directive which specify how long the policy should be kept on the web browser.
* the ``++includeSubDomains++`` optional directive which specify if the policy should apply on all sub-domains or not.
* the ``++preload++`` optional directive which is not part of the HSTS specification but supported on all modern web browsers.

With the ``++preload++`` directive the web browser never connects in HTTP to the website and to use this directive, it is required https://hstspreload.org/[to submit] the concerned application to a preload service maintained by Google.