const classafSleepSafe::StrictTransportGuard

  afSleepSafe::StrictTransportGuard : afSleepSafe::Guard

Guards against protocol downgrade attacks and Cookie hijacking by setting a Strict-Transport-Security HTTP response header that tells browsers to use HTTPS.

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

See HTTP Strict Transport Security (HSTS) and RFC 6797 for details.

IoC Configuration

HSTS is disabled by default as you don't want to force your development environment into using HTTPS! To enable, contribute this class to the SleepSafeMiddleware configuration:

@Contribute { serviceType=SleepSafeMiddleware# }
Void contributeSleepSafeMiddleware(Configuration config, IocEnv iocEnv) {
    if (iocEnv.isProd)
        config[StrictTransportGuard#] = StrictTransportGuard(5day)


new make(Duration maxAge := 365day, Bool includeSubdomains := false, Bool preload := false)

Creates a StrictTransportGuard instance.

  • maxAge - How long future requests to the domain should go over HTTPS.
  • includeSubdomains - If subdomains should also be HTTPS.
  • preload - Allow this domain to be included in browsers HSTS preload list. See for details.