Government agencies enable HTTP Strict Transport Security for public websites

I’m pleased to announce that the FTC has joined a number of other federal agencies in deploying additional security best practices for our public consumer websites:,, and

The websites, which already employ HTTPS encryption, have enabled a feature known as HTTP Strict Transport Security (HSTS) which hardcodes all future communications to be encrypted by default. The result is that when visitors attempt to visit the Do Not Call Registry by entering "" or clicking a link to, HSTS-enabled browsers will automatically encrypt the connection without any additional instruction from the website. This small tweak reduces the potential for an attacker to maliciously redirect (downgrade) their connection or impersonate an FTC website when connecting from an insecure networks and open Wi-Fi hotspots.

The cross agency effort was motivated by the GSA's 18F team which you can read about here.

This is part of an ongoing effort by federal agencies to improve their websites. Watch this space for future updates.

The author’s views are his or her own, and do not necessarily represent the views of the Commission or any Commissioner.


dear ftc, how does this protect th e back end of your systems? what if an attacker comprom ises the back end?

also, can you share how man y times a 'man-in-the-middle' attack was an issue for ftc?