HSTS
The HSTS plugin adds the required HTTP Strict Transport Security headers to the request according to the RFC 6797. When the browser receives HSTS policy headers, it no longer attempts to connect to the server with insecure connections for a given period.
Add dependencies
To use HSTS
, you need to include the ktor-server-hsts
artifact in the build script:
Install HSTS
To install the HSTS
plugin to the application, pass it to the install
function in the specified module. The code snippets below show how to install HSTS
...
... inside the
embeddedServer
function call.... inside the explicitly defined
module
, which is an extension function of theApplication
class.
The HSTS
plugin can also be installed to specific routes. This might be useful if you need different HSTS
configurations for different application resources.
Configure HSTS
HSTS
exposes its settings via HSTSConfig. The example below shows how to use the maxAgeInSeconds
property to specify how long the client should keep the host in a list of known HSTS hosts:
You can also provide different HSTS configurations for different hosts using withHost
:
You can find the full example here: ssl-engine-main-hsts.