1# HSTS support
2
3HTTP Strict-Transport-Security. Added as experimental in curl
47.74.0. Supported "for real" since 7.77.0.
5
6## Standard
7
8[HTTP Strict Transport Security](https://tools.ietf.org/html/rfc6797)
9
10## Behavior
11
12libcurl features an in-memory cache for HSTS hosts, so that subsequent
13HTTP-only requests to a host name present in the cache will get internally
14"redirected" to the HTTPS version.
15
16## `curl_easy_setopt()` options:
17
18 - `CURLOPT_HSTS_CTRL` - enable HSTS for this easy handle
19 - `CURLOPT_HSTS` - specify file name where to store the HSTS cache on close
20  (and possibly read from at startup)
21
22## curl cmdline options
23
24 - `--hsts [filename]` - enable HSTS, use the file as HSTS cache. If filename
25   is `""` (no length) then no file will be used, only in-memory cache.
26
27## HSTS cache file format
28
29Lines starting with `#` are ignored.
30
31For each hsts entry:
32
33    [host name] "YYYYMMDD HH:MM:SS"
34
35The `[host name]` is dot-prefixed if it is a includeSubDomain.
36
37The time stamp is when the entry expires.
38
39I considered using wget's file format for the HSTS cache. However, they store the time stamp as the epoch (number of seconds since 1970) and I strongly disagree with using that format. Instead I opted to use a format similar to the curl alt-svc cache file format.
40
41## Possible future additions
42
43 - `CURLOPT_HSTS_PRELOAD` - provide a set of preloaded HSTS host names
44 - ability to save to something else than a file
45