Enable HTTP Strict Transport Security

This feature will add required HTTP Strict Transport Security headers to the request according to the RFC 6797.

Please note, that HSTS policy headers are ignored over insecure HTTP connection. For HSTS to take effect it should be served over secure (https) connection.

When browser receives HSTS policy headers, it will no longer attempt to connect to the server with insecure connections for the given period of time.


fun Application.main() {

The code above installs HSTS with the default configuration.


  • maxAge (default is 1 year): duration to tell client to keep host in a list of known HSTS hosts
  • includeSubDomains (default is true): adds includeSubDomains directive, which applies this policy to this domain and any subdomains
  • preload (default is false): consents that the policy allows including the domain into web browser preloading list
  • customDirectives (default is empty): any custom directives supported by specific user-agent