1<!-- 2Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 3 4SPDX-License-Identifier: curl 5--> 6 7# HSTS support 8 9HTTP Strict-Transport-Security. Added as experimental in curl 107.74.0. Supported "for real" since 7.77.0. 11 12## Standard 13 14[HTTP Strict Transport Security](https://datatracker.ietf.org/doc/html/rfc6797) 15 16## Behavior 17 18libcurl features an in-memory cache for HSTS hosts, so that subsequent 19HTTP-only requests to a hostname present in the cache gets internally 20"redirected" to the HTTPS version. 21 22## `curl_easy_setopt()` options: 23 24 - `CURLOPT_HSTS_CTRL` - enable HSTS for this easy handle 25 - `CURLOPT_HSTS` - specify filename where to store the HSTS cache on close 26 (and possibly read from at startup) 27 28## curl command line options 29 30 - `--hsts [filename]` - enable HSTS, use the file as HSTS cache. If filename 31 is `""` (no length) then no file is used, only in-memory cache. 32 33## HSTS cache file format 34 35Lines starting with `#` are ignored. 36 37For each hsts entry: 38 39 [host name] "YYYYMMDD HH:MM:SS" 40 41The `[host name]` is dot-prefixed if it includes subdomains. 42 43The time stamp is when the entry expires. 44 45## Possible future additions 46 47 - `CURLOPT_HSTS_PRELOAD` - provide a set of HSTS hostnames to load first 48 - ability to save to something else than a file 49
