HSTS (via the Strict-Transport-Security header) tells browsers to only ever connect to your site over HTTPS. After the first visit, the browser refuses insecure connections automatically, blocking downgrade and SSL-stripping attacks.
The Strict-Transport-Security header instructs browsers to remember that your site is HTTPS-only for a set duration. This closes the small window where an attacker could intercept an initial insecure request and downgrade the connection.
Check your website
See how your site handles hsts: http strict transport security explained — free, no account needed.
For business owners
Even with HTTPS and redirects, there is a brief moment on a visitor's first request where an attacker on the network could hijack the connection before the redirect happens. HSTS closes that gap. It signals a mature security posture, is required for the strongest trust ratings, and prevents a category of attack that redirects alone cannot.
How it works (technical)
The header looks like: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload.
- max-age — seconds the browser enforces HTTPS-only (e.g. one year).
- includeSubDomains — applies the policy to every subdomain.
- preload — opts into the browser preload list, so HTTPS is enforced even on the very first visit.
Once a browser sees the header, it upgrades all requests to HTTPS internally and refuses to connect if the certificate is invalid — the user cannot click through the warning.
Real-world example
A bank enforced HSTS with preload. When a customer typed the bare domain on public Wi-Fi, the browser never issued an HTTP request at all — it went straight to HTTPS from its preload list, defeating a rogue access point attempting SSL stripping.
Why it matters
HSTS eliminates the first-request downgrade window that plain redirects leave open. It is a required signal for top-tier security scores and is straightforward to add once HTTPS is reliable.
How to fix it
Confirm HTTPS works flawlessly on your main domain and all subdomains first.
Add
Strict-Transport-Security: max-age=31536000to all HTTPS responses.Once confident, add
includeSubDomains.Optionally submit your domain to the HSTS preload list with the
preloaddirective.Start with a short max-age while testing, then raise it to a year.
Best practices
Only enable HSTS after HTTPS is fully working everywhere — it is hard to undo quickly.
Use includeSubDomains only if every subdomain supports HTTPS.
Treat preload as a long-term commitment; removal from the list is slow.
Common mistakes
Enabling HSTS before every subdomain has valid HTTPS, locking out insecure subdomains.
Using preload prematurely and getting stuck when a subdomain is not ready.
Setting a very long max-age during initial testing.
Frequently asked questions
What is HSTS preload?
A list built into browsers of domains that must always use HTTPS, so protection applies even on the first-ever visit before any header is seen.
Can I turn HSTS off quickly?
Not really. Browsers honour the max-age you sent, so a long duration or preload entry persists. Introduce it carefully.
Put this into practice
See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.
Scan your website free