Security

HSTS — What It Is and Why Your Website Needs It

Published: 12.03.2026 · 4 min read · 14 views

HSTS (HTTP Strict Transport Security) is a security mechanism that tells the browser: "This site must only be loaded over SSL/TLS проверку. Never use HTTP." After receiving the HSTS header, the browser automatically redirects all HTTP requests to HTTPS, even if the user manually types an address without https://.

Why You Need HSTS

You have set up an SSL certificate and added an HTTP-to-HTTPS redirect — seems enough. But without HSTS, a vulnerability remains: the user's first request may go over HTTP, and an attacker can intercept it.

Key threats without HSTS:

SSL stripping (Moxie Marlinspike attack) — an attacker intercepts the HTTP request and substitutes the response, preventing the browser from switching to HTTPS
Cookie theft — cookies set without the Secure flag can leak through HTTP requests
Mixed content — HTTP resources on an HTTPS page create vulnerabilities
Subdomain phishing — without includeSubDomains, an attacker can create an HTTP version of a subdomain

How HSTS Works

The mechanism is simple but effective:

The user visits the site over HTTPS for the first time
The server sends the header: Strict-Transport-Security: max-age=31536000; includeSubDomains
The browser remembers that this domain must only use HTTPS
For the specified duration (max-age), all HTTP requests are automatically converted to HTTPS on the browser side — without contacting the server

This is called an "internal 307 redirect" — the browser does it on its own, without a network request.

HSTS Header Syntax

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Let's break down each directive:

Directive	Description	Recommendation
`max-age`	Duration in seconds	31536000 (1 year) for production
`includeSubDomains`	Apply to all subdomains	Enable if all subdomains support HTTPS
`preload`	Request inclusion in browser preload lists	Enable after testing

Configuring HSTS on Popular Servers

Nginx

server {
    listen 443 ssl;
    server_name example.com;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
}

Important: add the header only for the HTTPS block (443), not for HTTP (80).

Apache

<VirtualHost *:443>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</VirtualHost>

PHP (programmatically)

header('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload');

HSTS Preload List

The preload list is a list of domains built into Chrome, Firefox, Safari, and Edge browsers. For domains on this list, HTTPS is used from the very first visit — even if the user has never been to the site before.

Requirements for preload list inclusion:

Valid SSL certificate
Redirect from HTTP to HTTPS on the main domain
HSTS header with max-age of at least 31536000 (1 year)
includeSubDomains directive
preload directive
All subdomains must support HTTPS

You can submit your domain at hstspreload.org.

Common HSTS Configuration Mistakes

Too short max-age — values less than 1 year are not accepted for the preload list. Start with 300 seconds for testing, then increase
HSTS on HTTP — the header on an HTTP response is ignored by browsers (and rightly so — otherwise an attacker could forge it)
includeSubDomains without verification — if even one subdomain doesn't support HTTPS, users will lose access to it
Forgot about API документацию and resources — if your API or CDN uses HTTP, HSTS can break integrations
No rollback — after enabling preload, removing a domain from the list is difficult and slow (several months)

Recommended Deployment Plan

Ensure the entire site works over HTTPS, including all resources
Configure HTTP → HTTPS redirect
Add HSTS with max-age=300 (5 minutes) for testing
Verify the header using the HTTP header checker on enterno.io
Increase max-age to 604800 (1 week), then to 2592000 (1 month)
Add includeSubDomains, making sure all subdomains are ready
Add preload and submit to hstspreload.org
Set the final value of max-age=31536000 (1 year)

How to Check HSTS on a Website

The quickest way is to use the HTTP header checker on enterno.io. Enter your site's URL and look for the Strict-Transport-Security header in the response. The tool will show the max-age value and the presence of includeSubDomains and preload directives.

You can also check in Chrome DevTools: open the Network tab, select the main document, and look at Response Headers.

Summary

HSTS is a simple yet powerful security tool. It requires minimal configuration but significantly improves security by enforcing HTTPS usage. If your site already runs on HTTPS, there is no reason not to enable HSTS — it's a free and effective defense against an entire class of attacks.

Check your website right now

Check now →