HSTS.md (1268B)
1 <!-- 2 Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 3 4 SPDX-License-Identifier: curl 5 --> 6 7 # HSTS support 8 9 HTTP Strict-Transport-Security. Added as experimental in curl 10 7.74.0. Supported "for real" since 7.77.0. 11 12 ## Standard 13 14 [HTTP Strict Transport Security](https://datatracker.ietf.org/doc/html/rfc6797) 15 16 ## Behavior 17 18 libcurl features an in-memory cache for HSTS hosts, so that subsequent 19 HTTP-only requests to a hostname present in the cache gets internally 20 "redirected" to the HTTPS version. 21 22 ## `curl_easy_setopt()` options: 23 24 - `CURLOPT_HSTS_CTRL` - enable HSTS for this easy handle 25 - `CURLOPT_HSTS` - specify filename where to store the HSTS cache on close 26 (and possibly read from at startup) 27 28 ## curl command line options 29 30 - `--hsts [filename]` - enable HSTS, use the file as HSTS cache. If filename 31 is `""` (no length) then no file is used, only in-memory cache. 32 33 ## HSTS cache file format 34 35 Lines starting with `#` are ignored. 36 37 For each hsts entry: 38 39 [host name] "YYYYMMDD HH:MM:SS" 40 41 The `[host name]` is dot-prefixed if it includes subdomains. 42 43 The time stamp is when the entry expires. 44 45 ## Possible future additions 46 47 - `CURLOPT_HSTS_PRELOAD` - provide a set of HSTS hostnames to load first 48 - ability to save to something else than a file