HSTS Explained: What It Is and How to Implement It on Your Site

What Is HSTS?

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that tells browsers to only connect to your site over HTTPS — never over plain HTTP — for a specified period. Once a browser has received an HSTS header from your site, it will automatically upgrade all future requests to HTTPS, even if a user types http:// or clicks an HTTP link.

This protects your visitors against a class of attacks known as SSL stripping, where an attacker intercepts an initial HTTP request before the browser is redirected to HTTPS, allowing them to silently downgrade the connection.

How HSTS Works

1. A visitor connects to your site over HTTPS for the first time.
2. Your server responds with the Strict-Transport-Security HTTP header.
3. The browser stores this directive and the specified max-age duration.
4. For all subsequent visits within the max-age window, the browser automatically uses HTTPS — without ever making an initial HTTP request.

A typical HSTS header looks like this:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Breaking Down the HSTS Directives

• max-age — The number of seconds the browser should remember the HSTS policy. 31536000 equals one year. Start with a shorter value (e.g., 300 seconds) while testing, then increase once you're confident.
• includeSubDomains — Applies the HSTS policy to all subdomains (e.g., www, mail, api). Only add this if all subdomains serve content over HTTPS.
• preload — Required if you want your domain added to the browser's built-in HSTS preload list (see below).

The HSTS Preload List

HSTS has one important limitation: the first-ever connection is still vulnerable, because the browser hasn't received the header yet. The HSTS preload list solves this by hardcoding a list of HSTS-enabled domains directly into browsers like Chrome, Firefox, Safari, and Edge.

To submit your domain to the preload list at hstspreload.org, your site must:

• Serve a valid HTTPS certificate.
• Redirect all HTTP traffic to HTTPS.
• Serve the HSTS header with max-age of at least 31,536,000 seconds.
• Include the includeSubDomains and preload directives.
• Serve HTTPS on all subdomains.

Note: Preload list submission is a long-term commitment. Removing your site requires months of lead time across browser releases.

How to Add the HSTS Header

Apache

Add to your HTTPS virtual host configuration or .htaccess:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Nginx

Add inside your server block (port 443):

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Cloudflare

Cloudflare users can enable HSTS via the SSL/TLS dashboard under "Edge Certificates" without touching server config.

HSTS Risks and Caveats

• Don't enable HSTS before your HTTPS is fully working — a misconfiguration can lock visitors out of your site.
• Test with a short max-age first — Use 300 or 3600 seconds initially.
• Ensure all subdomains support HTTPS before adding includeSubDomains.
• Once a browser has the HSTS header, it cannot be overridden by the user except by manually clearing HSTS data.

Is HSTS Worth It?

Absolutely. For any site that has fully committed to HTTPS, HSTS is a low-effort, high-impact security improvement. It closes a real attack vector and signals to security-conscious users and tools (like Google's security audits) that your site takes security seriously.