Security Fundamentals

HTTP Strict Transport Security (HSTS) Explained

Stop protocol downgrade attacks and ensure your users always connect securely with one powerful header.

Check HSTS Status for Free

Instant analysis of all security headers

01 What is HSTS?

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that forces web browsers to interact with websites only using secure HTTPS connections, and never via the insecure HTTP protocol.

It was created to solve a specific vulnerability: when a user types example.com into their browser, the browser defaults to http://example.com. Even if the server immediately redirects to HTTPS, that initial plain-text request is vulnerable to a Man-in-the-Middle (MitM) attack called "SSL Stripping".

HSTS closes this window of opportunity by telling the browser: "Never try to talk to me over HTTP again. Always auto-upgrade to HTTPS on the client side."

02 Why You Need It

1. Prevents SSL Stripping

Hackers on the same network (like public WiFi) can intercept the initial HTTP request and force the user to stay on HTTP, stealing passwords and data. HSTS prevents the browser from ever making that HTTP request.

2. Stops Mixed Content Errors

By upgrading all insecure requests to HTTPS automatically, HSTS can help mitigate passive mixed content issues that might otherwise trigger security warnings.

3. Protects Against Cookie Hijacking

When used with the Secure flag on cookies, HSTS ensures that sensitive session cookies are never transmitted over an unencrypted connection.

4. Improved SEO

Search engines like Google prioritize secure websites. Implementing HSTS is a strong signal that you take security seriously.

03 How It Works

HSTS works by sending a special response header from the server to the browser:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Here is what each part does:

  • max-age: The time (in seconds) that the browser should remember that this site is only to be accessed using HTTPS. 31536000 seconds equals 1 year.
  • includeSubDomains: (Optional) Applies this rule to all subdomains as well (e.g., blog.example.com).
  • preload: (Optional) Allows the domain to be included in the browser's hardcoded HSTS preload list.

04 Implementation Guide

Adding the HSTS header differs depending on your web server.

Nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Apache

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Cloudflare / Netlify / Vercel

Most modern CDNs and hosting platforms have a simple toggle in their SSL/TLS settings to enable HSTS.

05 The HSTS Preload List

The "Preload List" is a hardcoded list of domains built into Chrome, Firefox, and Safari that are always HTTPS-only, even for the very first visit.

To get on this list, you must:

  1. Serve a valid HSTS header with a max-age of at least 1 year.
  2. Include the includeSubDomains directive.
  3. Include the preload directive.
  4. Submit your site to hstspreload.org.

06 Frequently Asked Questions

Can I use HSTS without SSL?

No. HSTS requires a valid SSL certificate. If you enable HSTS on a site without HTTPS, you will lock users out of your site completely.

What happens if my SSL certificate expires with HSTS enabled?

Users will be completely blocked from accessing your site. Unlike standard HTTPS errors where users can 'click through' the warning, HSTS forbids browsers from bypassing the error.

How long should I set the max-age?

Google recommends a minimum of 6 months (15768000 seconds), but ideally 1 to 2 years (31536000 to 63072000 seconds) for maximum security.

What is the 'includeSubDomains' directive?

It tells the browser that the HSTS policy applies to all subdomains of the current domain as well. Be careful enabling this if you have subdomains that don't support HTTPS.

Is HSTS Enabled on Your Site?

Find out instantly with our free security scanner.

Check My Headers