node package manager
Share your code. npm Orgs help your team discover, share, and reuse code. Create a free org »


HTTP Strict Transport Security middleware

Build Status js-standard-style

Looking for a changelog?

This middleware adds the Strict-Transport-Security header to the response. This tells browsers, "hey, only use HTTPS for the next period of time". (See the spec for more.) Note that the header won't tell users on HTTP to switch to HTTPS, it will just tell HTTPS users to stick around. You can enforce HTTPS with the express-enforces-ssl module.

This will set the Strict Transport Security header, telling browsers to visit by HTTPS for the next 180 days:

var hsts = require('hsts')
  maxAge: 15552000  // 180 days in seconds 
// Strict-Transport-Security: max-age: 15552000; includeSubDomains 

Note that the max age must be in seconds. This was different in previous versions of this module!

The includeSubDomains directive is present by default. If this header is set on, supported browsers will also use HTTPS on You can disable this:

  maxAge: 15552000,
  includeSubDomains: false

Chrome lets you submit your site for baked-into-Chrome HSTS by adding preload to the header. You can add that with the following code, and then submit your site to the Chrome team at

  maxAge: 10886400,        // Must be at least 18 weeks to be approved by Google 
  includeSubDomains: true, // Must be enabled to be approved by Google 
  preload: true

This header will always be set because the header is ignored in insecure HTTP. If you wish to set it conditionally, you can use setIf:

  maxAge: 1234000,
  setIf: function (req, res) {
    return || (req.headers['x-forwarded-proto'] === 'https')

This header is somewhat well-supported by browsers.