Hey!! guys, Do you know how to make a URL to communicate using https even if we tried with http?. Wait! Lets figure it together.

The HTTP Strict-Transport-Security response header informs browsers that the site should only be accessed using HTTPS, even if any one tries to access with HTTP divert them to HTTPS.

Strict-Transport-Security: max-age=<expire-time>; includeSubDomains; preload

To enable HSTS header we need a failure request. Once the request was sent we can see the max-age, includeSubDomains property enabled.

• max-age : max-age property mentions the number of seconds, until the mentioned time it will not expect a failure request.

• includeSubDomains: HSTS protects subdomains, But we need to mention the keyword includeSubDomains in the header.

Let's make our hands dirty!!!!!

Open chrome dev tools and type "http://youtube.com" in chrome search bar. Here the protocol should be http. In developer tools, open Network Tab and watch the requests happening.

You can see youTube calls happening multiple times,

• In First call, the status code was '307 Internal Redirect' in request headers and location as 'youtube.com' in response headers and also you can see Non-Authoritative-Reason as 'HSTS'.

  

• Here the Location property tells the actual URL of the website to load.

• In Second Call, it uses the above Location and loads the website. But we see the '301 Moved Permanently' code there and again Location property points to another URL to load.

  

• And at last the third call was perfect and loads the website.

• "If we notice the first call was failed because we used http and moved our site from http to https, Although in our second call it was https but URL was not exact so it made a 301 status code and sent the actual URL in response header".