Menu
Does it make sense to set the Strict-Transport-Security header for API responses (i.e. requests that don't maintain state) and most likely don't originate from browsers.
820
If your API will never be accessed via a web browser then you don't need the HSTS header, however, it may be worth adding it to 'future proof' your API incase you decide it should be accessed via a web browser in the future (and/or you allow HTTP connections in the future).
Generally, you want to set a custom HTTP header for Strict-Transport-Security with the value max-age=31536000; includeSubDomains; preload (or some variant).
The HSTS RFC does not mention APIs unfortunately.
Under 2.1 Use Cases it states:
o Web browser user wishes to interact with various web sites (some
arbitrary, some known) in a secure fashion.
o Web site deployer wishes to offer their site in an explicitly
secure fashion for their own, as well as their users', benefit.
https://www.rfc-editor.org/rfc/rfc6797#section-2.1
As it explicitly states "web browser" I think it is safe to assume that HSTS was designed for resources accessed via a web browser.
If you think your API may be used by web browsers in the future then I'd recommend adding the HSTS header. If your API will never be accessed via a web browser then you don't need the HSTS header, however, it may be worth adding it to 'future proof' your API incase you decide it should be accessed via a web browser in the future (and/or you allow HTTP connections in the future).
187
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
