HSTS — HTTP Strict Transport Security
HTTP header that forces browsers to always connect via HTTPS.
What is HSTS
HSTS (HTTP Strict Transport Security) is an HTTP response header that
tells the browser: "from now on, for X amount of time, never try to connect to
this domain over HTTP — only HTTPS". So even if someone types
http://example.com or clicks an old http:// link, the browser will
automatically upgrade to HTTPS, without even opening the HTTP connection.
Without HSTS, the first visit over HTTP (before the redirect to HTTPS) is vulnerable to SSL stripping and man-in-the-middle attacks.
Example HSTS Header
Strict-Transport-Security: max-age=63072000; includeSubDomains; preloadFields:
max-age=63072000— two years in seconds. The browser will remember this directive for that long.includeSubDomains— applies to all subdomains as well.preload— signals that you want your domain added to the browser's preload list.
HSTS Preload List
Normally, HSTS is activated after the first successful HTTPS visit. But that first visit may still be vulnerable. The solution is the HSTS Preload List: a hard-coded list of domains built into browsers (Chrome, Firefox, Safari, Edge), which are treated as HTTPS-only by definition — without requiring a first visit.
How to Enable It
- Make sure all subdomains have valid SSL certificates.
- Add the header to your server with a small initial
max-age(e.g. 1 week). - Test for a few days — make sure everything works.
- Raise it to 2 years (
63072000) +includeSubDomains+preload. - Submit your domain to the preload list.
Common Mistakes
- HSTS on a domain where not all subdomains are on HTTPS — those subdomains will "break".
- Premature preload — if you're not ready, don't request it. Removal takes weeks.
- HSTS without HTTPS: if the header comes from an HTTP response, browsers ignore it.