1# HSTS support 2 3HTTP Strict-Transport-Security. Added as experimental in curl 47.74.0. Supported "for real" since 7.77.0. 5 6## Standard 7 8[HTTP Strict Transport Security](https://tools.ietf.org/html/rfc6797) 9 10## Behavior 11 12libcurl features an in-memory cache for HSTS hosts, so that subsequent 13HTTP-only requests to a host name present in the cache will get internally 14"redirected" to the HTTPS version. 15 16## `curl_easy_setopt()` options: 17 18 - `CURLOPT_HSTS_CTRL` - enable HSTS for this easy handle 19 - `CURLOPT_HSTS` - specify file name where to store the HSTS cache on close 20 (and possibly read from at startup) 21 22## curl cmdline options 23 24 - `--hsts [filename]` - enable HSTS, use the file as HSTS cache. If filename 25 is `""` (no length) then no file will be used, only in-memory cache. 26 27## HSTS cache file format 28 29Lines starting with `#` are ignored. 30 31For each hsts entry: 32 33 [host name] "YYYYMMDD HH:MM:SS" 34 35The `[host name]` is dot-prefixed if it is a includeSubDomain. 36 37The time stamp is when the entry expires. 38 39I considered using wget's file format for the HSTS cache. However, they store the time stamp as the epoch (number of seconds since 1970) and I strongly disagree with using that format. Instead I opted to use a format similar to the curl alt-svc cache file format. 40 41## Possible future additions 42 43 - `CURLOPT_HSTS_PRELOAD` - provide a set of preloaded HSTS host names 44 - ability to save to something else than a file 45