HTTP Strict Transport Security (HSTS)

Security Glossary - Security Headers

Definition: HSTS is a security header that instructs browsers to only connect to a website over HTTPS, never over plain HTTP. Once a browser receives the Strict-Transport-Security header, it automatically converts any HTTP request to that domain into HTTPS for the duration specified by the max-age directive.

Key Parameters

Directive	Recommended Value	Purpose
max-age	31536000 (1 year)	How long browsers remember HTTPS-only
includeSubDomains	Include if all subdomains support HTTPS	Extends policy to subdomains
preload	Include after testing	Submit to browser preload list

The Importance of HSTS

Without HSTS, even an HTTPS-enabled site is vulnerable to SSL stripping attacks. An attacker on the network (like a public Wi-Fi hotspot) can intercept the initial HTTP request before it is redirected to HTTPS and serve a plain HTTP version of the site. The user sees no security indicators because the connection never reaches HTTPS. HSTS prevents this by ensuring the browser never attempts an HTTP connection.

The HSTS preload list takes this further by hardcoding HSTS into the browser itself. Sites on the preload list are always accessed over HTTPS, even on the very first visit. Without preloading, the first visit is still vulnerable because the browser has not yet received the HSTS header.

HSTS has an important operational implication: if your SSL certificate expires while HSTS is active, browsers will refuse to connect at all - there is no way to click through the warning. This makes automated certificate renewal essential for HSTS-enabled sites.

How to Check

Run a security audit to check if your server sends the Strict-Transport-Security header. Verify the max-age is at least 31536000 (one year) and consider adding includeSubDomains and preload directives. Check the HSTS preload list to see if your domain is preloaded.

What People Get Wrong About HSTS

Myth: HSTS can be easily reversed if something goes wrong

Reality: Once a browser receives an HSTS header, it will refuse HTTP connections until max-age expires. If you set a 1-year max-age and then lose your HTTPS setup, visitors cannot reach your site. Start with a short max-age (300 seconds) during testing.

Myth: HTTPS redirect is enough, HSTS is redundant

Reality: The first HTTP request before the redirect is vulnerable to interception (SSL stripping). HSTS eliminates this window by telling the browser to never attempt HTTP in the first place.

Run a Security Audit

HSTS FAQ

What max-age should I set for HSTS?

Start with a short max-age (like 300 seconds) to test, then increase to 31536000 (one year) once confirmed working. For HSTS preloading, a max-age of at least 31536000 is required along with includeSubDomains and preload directives.

Can I undo HSTS if something goes wrong?

You can set max-age to 0 to clear the HSTS policy, but users must visit the site over HTTPS to receive the updated header. For preloaded domains, removal from the preload list takes months because it requires a browser update. Test thoroughly before preloading.