113498266Sopenharmony_ci# HSTS support 213498266Sopenharmony_ci 313498266Sopenharmony_ciHTTP Strict-Transport-Security. Added as experimental in curl 413498266Sopenharmony_ci7.74.0. Supported "for real" since 7.77.0. 513498266Sopenharmony_ci 613498266Sopenharmony_ci## Standard 713498266Sopenharmony_ci 813498266Sopenharmony_ci[HTTP Strict Transport Security](https://datatracker.ietf.org/doc/html/rfc6797) 913498266Sopenharmony_ci 1013498266Sopenharmony_ci## Behavior 1113498266Sopenharmony_ci 1213498266Sopenharmony_cilibcurl features an in-memory cache for HSTS hosts, so that subsequent 1313498266Sopenharmony_ciHTTP-only requests to a hostname present in the cache will get internally 1413498266Sopenharmony_ci"redirected" to the HTTPS version. 1513498266Sopenharmony_ci 1613498266Sopenharmony_ci## `curl_easy_setopt()` options: 1713498266Sopenharmony_ci 1813498266Sopenharmony_ci - `CURLOPT_HSTS_CTRL` - enable HSTS for this easy handle 1913498266Sopenharmony_ci - `CURLOPT_HSTS` - specify filename where to store the HSTS cache on close 2013498266Sopenharmony_ci (and possibly read from at startup) 2113498266Sopenharmony_ci 2213498266Sopenharmony_ci## curl command line options 2313498266Sopenharmony_ci 2413498266Sopenharmony_ci - `--hsts [filename]` - enable HSTS, use the file as HSTS cache. If filename 2513498266Sopenharmony_ci is `""` (no length) then no file will be used, only in-memory cache. 2613498266Sopenharmony_ci 2713498266Sopenharmony_ci## HSTS cache file format 2813498266Sopenharmony_ci 2913498266Sopenharmony_ciLines starting with `#` are ignored. 3013498266Sopenharmony_ci 3113498266Sopenharmony_ciFor each hsts entry: 3213498266Sopenharmony_ci 3313498266Sopenharmony_ci [host name] "YYYYMMDD HH:MM:SS" 3413498266Sopenharmony_ci 3513498266Sopenharmony_ciThe `[host name]` is dot-prefixed if it includes subdomains. 3613498266Sopenharmony_ci 3713498266Sopenharmony_ciThe time stamp is when the entry expires. 3813498266Sopenharmony_ci 3913498266Sopenharmony_ci## Possible future additions 4013498266Sopenharmony_ci 4113498266Sopenharmony_ci - `CURLOPT_HSTS_PRELOAD` - provide a set of HSTS host names to load first 4213498266Sopenharmony_ci - ability to save to something else than a file 43