HTTP Strict-Transport-Security (HSTS) Explained

Jul 16, 2026
Updated Jul 16, 2026 Security Headers strict-transport-security hsts header hsts hsts preload

The HTTP Strict-Transport-Security (HSTS) response header tells a browser to only ever connect to a site over HTTPS, never plain HTTP, for a set period. Once a browser has seen the header, it automatically upgrades every request to that domain to HTTPS and refuses to connect if the certificate is invalid — closing the window that SSL-stripping man-in-the-middle attacks rely on.

What is the Strict-Transport-Security header?

Defined in RFC 6797, HSTS solves a specific problem: even on an HTTPS site, the very first request a user makes is often plain HTTP (they type example.com, not https://…), and that unencrypted request can be intercepted and downgraded. HSTS instructs the browser to remember the site as HTTPS-only, so after the first secure visit it never sends an HTTP request there again.

HSTS directives

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
DirectiveMeaning
max-ageHow long (in seconds) the browser enforces HTTPS-only. 31536000 is one year, the common value.
includeSubDomainsApplies the policy to every subdomain, not just the exact host.
preloadSignals that the domain may be added to the browser preload list, so HTTPS is enforced even on the very first visit.

The first-visit gap and the preload list

Plain HSTS only protects users after their first successful HTTPS visit. To close that initial gap, browsers ship a built-in HSTS preload list of domains hard-coded as HTTPS-only. Adding preload to your header and submitting the domain means even a brand-new visitor never makes an HTTP request. Preloading is powerful but hard to undo, so only enable it once you are certain the whole domain and its subdomains are permanently HTTPS.

How to check HSTS

See whether a site sends the Strict-Transport-Security header, and with what max-age, using the free HTTP headers checker. Because HSTS depends entirely on a valid certificate, it pairs directly with your TLS setup — see the SSL certificate monitoring and invalid certificate guides.

Common HSTS mistakes

  • A very short max-age. A few minutes gives almost no protection. Use a long value (a year) once you are confident in HTTPS.
  • Omitting includeSubDomains. Without it, a subdomain served over HTTP remains a downgrade target.
  • Enabling preload too early. If any subdomain still needs HTTP, preloading will break it — and removal from the list takes a long time.
  • Sending HSTS over plain HTTP. The header is only honoured over HTTPS; on an HTTP response it is ignored.

Related security headers

HSTS enforces the transport; other headers protect the content: Content-Security-Policy (injection/XSS), X-Frame-Options (clickjacking), and X-Content-Type-Options (MIME sniffing).

Frequently asked questions

Do I need HSTS if I already redirect HTTP to HTTPS?

Yes. A redirect still starts with an interceptable HTTP request. HSTS makes the browser skip HTTP entirely on future visits, which a redirect cannot do.

What max-age should I use for HSTS?

One year (31536000 seconds) is the widely recommended value, and it is required for submission to the preload list. Start lower while testing if you prefer, then raise it.

Can HSTS lock me out of my own site?

If you enable HSTS (especially with preload) and then cannot serve valid HTTPS, browsers will refuse to connect. Only enable it once your certificate and HTTPS are reliable across the domain.

Scan for these vulnerabilities

Secably automatically detects the issues discussed in this article.

Start Free Scan