Skip to content
← All articles

HSTS — What It Is and Why Your Website Needs It

HSTS (HTTP Strict Transport Security) is a security mechanism that tells the browser: "This site must only be loaded over SSL/TLS проверку. Never use HTTP." After receiving the HSTS header, the browser automatically redirects all HTTP requests to HTTPS, even if the user manually types an address without https://.

Why You Need HSTS

You have set up an SSL certificate and added an HTTP-to-HTTPS redirect — seems enough. But without HSTS, a vulnerability remains: the user's first request may go over HTTP, and an attacker can intercept it.

Key threats without HSTS:

  • SSL stripping (Moxie Marlinspike attack) — an attacker intercepts the HTTP request and substitutes the response, preventing the browser from switching to HTTPS
  • Cookie theft — cookies set without the Secure flag can leak through HTTP requests
  • Mixed Content — HTTP resources on an HTTPS page create vulnerabilities
  • Subdomain phishing — without includeSubDomains, an attacker can create an HTTP version of a subdomain

How HSTS Works

The mechanism is simple but effective:

  1. The user visits the site over HTTPS for the first time
  2. The server sends the header: Strict-Transport-Security: max-age=31536000; includeSubDomains
  3. The browser remembers that this domain must only use HTTPS
  4. For the specified duration (max-age), all HTTP requests are automatically converted to HTTPS on the browser side — without contacting the server

This is called an "internal 307 redirect" — the browser does it on its own, without a network request.

HSTS Header Syntax

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Let's break down each directive:

DirectiveDescriptionRecommendation
max-ageDuration in seconds31536000 (1 year) for production
includeSubDomainsApply to all subdomainsEnable if all subdomains support HTTPS
preloadRequest inclusion in browser preload listsEnable after testing

Nginx

server {
    listen 443 ssl;
    server_name example.com;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
}

Important: add the header only for the HTTPS block (443), not for HTTP (80).

Apache

<VirtualHost *:443>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</VirtualHost>

PHP (programmatically)

header('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload');

HSTS Preload List

The preload list is a list of domains built into Chrome, Firefox, Safari, and Edge browsers. For domains on this list, HTTPS is used from the very first visit — even if the user has never been to the site before.

Requirements for preload list inclusion:

  • Valid SSL certificate
  • Redirect from HTTP to HTTPS on the main domain
  • HSTS header with max-age of at least 31536000 (1 year)
  • includeSubDomains directive
  • preload directive
  • All subdomains must support HTTPS

You can submit your domain at hstspreload.org.

Common HSTS Configuration Mistakes

  • Too short max-age — values less than 1 year are not accepted for the preload list. Start with 300 seconds for testing, then increase
  • HSTS on HTTP — the header on an HTTP response is ignored by browsers (and rightly so — otherwise an attacker could forge it)
  • includeSubDomains without verification — if even one subdomain doesn't support HTTPS, users will lose access to it
  • Forgot about API документацию and resources — if your API or CDN uses HTTP, HSTS can break integrations
  • No rollback — after enabling preload, removing a domain from the list is difficult and slow (several months)
  1. Ensure the entire site works over HTTPS, including all resources
  2. Configure HTTP → HTTPS redirect
  3. Add HSTS with max-age=300 (5 minutes) for testing
  4. Verify the header using the HTTP header checker on enterno.io
  5. Increase max-age to 604800 (1 week), then to 2592000 (1 month)
  6. Add includeSubDomains, making sure all subdomains are ready
  7. Add preload and submit to hstspreload.org
  8. Set the final value of max-age=31536000 (1 year)

How to Check HSTS on a Website

The quickest way is to use the HTTP header checker on enterno.io. Enter your site's URL and look for the Strict-Transport-Security header in the response. The tool will show the max-age value and the presence of includeSubDomains and preload directives.

You can also check in Chrome DevTools: open the Network tab, select the main document, and look at Response Headers.

Summary

HSTS is a simple yet powerful security tool. It requires minimal configuration but significantly improves security by enforcing HTTPS usage. If your site already runs on HTTPS, there is no reason not to enable HSTS — it's a free and effective defense against an entire class of attacks.

Check your website right now

Check your site's security →
More articles: Security
Security
Two-Factor Authentication Guide: TOTP, SMS, and Hardware Keys
16.03.2026 · 164 views
Security
Content Security Policy (CSP) — A Complete Configuration Guide
12.03.2026 · 126 views
Security
Web Server Security Hardening Checklist: Nginx and Apache
16.03.2026 · 244 views
Security
CORS Explained: Cross-Origin Resource Sharing Guide
16.03.2026 · 137 views