Maximum Security

What is HSTS?

A strict rule that tells browsers: "Never, ever talk to this website over an unencrypted connection."

Check My HSTS Status

Verify your preload and policy settings

01 The Strict Rule

HSTS (HTTP Strict Transport Security) is a security header that forces a browser to connect to your website using only HTTPS. Even if a user types http://yourdomain.com, the browser will automatically change it to https:// before it even tries to connect.

02 The "One-Way Street" Analogy

Imagine the internet is a city with two types of roads: Dirt Roads (HTTP) and Paved Highways (HTTPS).

The Standard Site
Bridges exist, but people can still choose the unpaved (unsecured) road.

The HSTS Site
You've boarded up the dirt road. The browser now knows there is only one way in.

Once a visitor enters your "One-Way Street," their browser remembers it for months. They can't go back to the insecure road even if they wanted to.

03 Why standard redirects aren't enough

Most sites use a "301 Redirect" to send users from HTTP to HTTPS. However, in the tiny split-second before the redirect happens, a hacker can intercept the connection. This is called **SSL Stripping**.

HSTS kills SSL Stripping by telling the browser to never use the insecure connection in the first place.

04 The "Preload" VIP List

Normally, HSTS only works after the first visit. But what about the very first time someone visits your site? To fix this, Google maintains an HSTS Preload List.

If your site is on this list, browsers (Chrome, Firefox, Safari) already know your site is "HTTPS-only" before they even load it. It's the highest level of security possible.

Preload Requirement

"preload" tag

You must add the 'preload' tag to your header to be eligible for the master list.

05 How to enable HSTS

You enable HSTS by adding a specific line to your server configuration. **Warning: Start with a small max-age!**

Standard Secure Header (Recommended)

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Implementation (Nginx)

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Implementation (.htaccess)

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Not sure if your HSTS is active? Run a security scan on the homepage to see your current policy and if you are on the preload list.

06 Frequently Asked Questions

Can I disable HSTS easily?

No. Once a browser remembers HSTS, it will refuse to connect via HTTP until the timer (max-age) runs out. Be very careful when setting long durations initially.

What is a good 'max-age' value?

Start with a few minutes (300) to test. Once confirmed, move to 1 week, and finally to 1 year (31536000) for production.

Do I need HSTS if I already have a 301 redirect?

Yes! A redirect can be 'intercepted' during the first millisecond before it switches to HTTPS. HSTS prevents that initial unencrypted connection entirely.

Does HSTS affect SEO?

Yes, positively. Google rewards sites that enforce strict security protocols, and HSTS is the gold standard for enforcing HTTPS.

Enforce Strict Security

Make your website unhackable from the first click.

Verify My HSTS Policy