HSTS should be minimum 180 days, why?

2.6k views Asked by At

I did a test of my site at ssllabs. I enabled HSTS for 90 days because I don't know how long I'll use SSL, and my current certificate ends in 89 days.

Now I got the warning:

TOO SHORT (less than 180 days) max-age=7776000

And that leaves me wondering, why the minimum of 180 days. Whats the reasoning behind a long HSTS?

1

There are 1 answers

3
coderanger On BEST ANSWER

The longer the better, SSLLabs has decided that 180 days is their threshold for safe enough. If you're a smaller website, it is very possible that someone won't visit again with the 90 day window so they wouldn't be protected by HSTS. If you already have it at 90 days you kind of might as well set it to a year or more, since you can't just turn off TLS after that. Remember it isn't 90 days from when you enable HSTS, it's 90 days from the last visit from a given browser.