Skip to main content

Security Headers

HSTS: HTTP Strict Transport Security Explained

Force browsers to always use HTTPS — even on the first click.

Quick answer

HSTS (via the Strict-Transport-Security header) tells browsers to only ever connect to your site over HTTPS. After the first visit, the browser refuses insecure connections automatically, blocking downgrade and SSL-stripping attacks.

The Strict-Transport-Security header instructs browsers to remember that your site is HTTPS-only for a set duration. This closes the small window where an attacker could intercept an initial insecure request and downgrade the connection.

Check your website

See how your site handles hsts: http strict transport security explained — free, no account needed.

For business owners

Even with HTTPS and redirects, there is a brief moment on a visitor's first request where an attacker on the network could hijack the connection before the redirect happens. HSTS closes that gap. It signals a mature security posture, is required for the strongest trust ratings, and prevents a category of attack that redirects alone cannot.

How it works (technical)

The header looks like: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload.

  • max-age — seconds the browser enforces HTTPS-only (e.g. one year).
  • includeSubDomains — applies the policy to every subdomain.
  • preload — opts into the browser preload list, so HTTPS is enforced even on the very first visit.

Once a browser sees the header, it upgrades all requests to HTTPS internally and refuses to connect if the certificate is invalid — the user cannot click through the warning.

Real-world example

A bank enforced HSTS with preload. When a customer typed the bare domain on public Wi-Fi, the browser never issued an HTTP request at all — it went straight to HTTPS from its preload list, defeating a rogue access point attempting SSL stripping.

Why it matters

HSTS eliminates the first-request downgrade window that plain redirects leave open. It is a required signal for top-tier security scores and is straightforward to add once HTTPS is reliable.

How to fix it

  1. Confirm HTTPS works flawlessly on your main domain and all subdomains first.

  2. Add Strict-Transport-Security: max-age=31536000 to all HTTPS responses.

  3. Once confident, add includeSubDomains.

  4. Optionally submit your domain to the HSTS preload list with the preload directive.

  5. Start with a short max-age while testing, then raise it to a year.

Best practices

  • Only enable HSTS after HTTPS is fully working everywhere — it is hard to undo quickly.

  • Use includeSubDomains only if every subdomain supports HTTPS.

  • Treat preload as a long-term commitment; removal from the list is slow.

Common mistakes

  • Enabling HSTS before every subdomain has valid HTTPS, locking out insecure subdomains.

  • Using preload prematurely and getting stuck when a subdomain is not ready.

  • Setting a very long max-age during initial testing.

Frequently asked questions

What is HSTS preload?

A list built into browsers of domains that must always use HTTPS, so protection applies even on the first-ever visit before any header is seen.

Can I turn HSTS off quickly?

Not really. Browsers honour the max-age you sent, so a long duration or preload entry persists. Introduce it carefully.

Put this into practice

See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.

Scan your website free

See Pro plans · Create account