1# HSTS support 2 3HTTP Strict-Transport-Security. Added as experimental in curl 47.74.0. Supported "for real" since 7.77.0. 5 6## Standard 7 8[HTTP Strict Transport Security](https://datatracker.ietf.org/doc/html/rfc6797) 9 10## Behavior 11 12libcurl features an in-memory cache for HSTS hosts, so that subsequent 13HTTP-only requests to a host name present in the cache will get internally 14"redirected" to the HTTPS version. 15 16## `curl_easy_setopt()` options: 17 18 - `CURLOPT_HSTS_CTRL` - enable HSTS for this easy handle 19 - `CURLOPT_HSTS` - specify file name where to store the HSTS cache on close 20 (and possibly read from at startup) 21 22## curl command line options 23 24 - `--hsts [filename]` - enable HSTS, use the file as HSTS cache. If filename 25 is `""` (no length) then no file will be used, only in-memory cache. 26 27## HSTS cache file format 28 29Lines starting with `#` are ignored. 30 31For each hsts entry: 32 33 [host name] "YYYYMMDD HH:MM:SS" 34 35The `[host name]` is dot-prefixed if it includes subdomains. 36 37The time stamp is when the entry expires. 38 39## Possible future additions 40 41 - `CURLOPT_HSTS_PRELOAD` - provide a set of HSTS host names to load first 42 - ability to save to something else than a file 43