Strict-Transport-Security

Anatoly Oshmanovsky

HTTP Headers Advanced Health Score PageSpeed Security SEO Audit Redirect Chain Broken Links HTTP/2 & HTTP/3 HAR Analyzer HTTP Status Code Checker HTTP Compare

DNS DNS Propagation MX Lookup WHOIS Subdomains Reverse IP CMS Detector Tech Stack Detector Screenshot

Ping Traceroute IP ASN Lookup Online Port Scanner API Latency

SSL CSP CORS Cookie Mixed Content Malware Spam Lists IP Abuse Check RKN Check

Email Deliverability Email Headers SMTP Relay Test DKIM Generator

Schema Checker OG Preview Keywords Robots.txt Site Comparison AI Readiness llms.txt Carbon

Formatter JWT Decoder Cron Tester TTL Calculator IP/CIDR Calculator Uptime / SLA Calculator Downtime Cost Batch Heartbeat

All Tools → Articles Contact Help

Pricing RU Sign In

Site Analysis

(12)

HTTP Headers Advanced Health Score PageSpeed Security SEO Audit Redirect Chain Broken Links HTTP/2 & HTTP/3 HAR Analyzer HTTP Status Code Checker HTTP Compare

Domain & DNS

(9)

DNS DNS Propagation MX Lookup WHOIS Subdomains Reverse IP CMS Detector Tech Stack Detector Screenshot

Network

(6)

Ping Traceroute IP ASN Lookup Online Port Scanner API Latency

Security

(9)

SSL CSP CORS Cookie Mixed Content Malware Spam Lists IP Abuse Check RKN Check

(4)

Email Deliverability Email Headers SMTP Relay Test DKIM Generator

SEO & AI

(8)

Schema Checker OG Preview Keywords Robots.txt Site Comparison AI Readiness llms.txt Carbon

Utilities

(9)

Formatter JWT Decoder Cron Tester TTL Calculator IP/CIDR Calculator Uptime / SLA Calculator Downtime Cost Batch Heartbeat

Information

(8)

API Documentation Articles Pricing Help Contact Sign In Sign Up

Home / HTTP Headers / Strict-Transport-Security

← All HTTP Headers

Security

Instructs browsers to only access the site via HTTPS, protecting against protocol downgrade attacks and cookie hijacking.

Syntax

Strict-Transport-Security: max-age=&lt;seconds&gt;; includeSubDomains; preload

Example

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Description

The Strict-Transport-Security (HSTS) header tells browsers to only communicate with the server using HTTPS. Once received, the browser will automatically convert all HTTP requests to HTTPS for the specified duration.

The max-age directive specifies how long (in seconds) to enforce HTTPS. includeSubDomains extends this to all subdomains. preload allows inclusion in browser HSTS preload lists.

HSTS prevents man-in-the-middle attacks, SSL stripping, and cookie hijacking. Use at least 1 year (31536000 seconds) for production.

Check if your website sends this header correctly

Check your headers →

HSTS and HSTS Preload: Complete Guide to Forced HTTPS

HSTS and preload list — how to force browsers to always use HTTPS. Strict-Transport-Security setup, hstspreload.org submission, gotchas.

HTTP to HTTPS Migration: Redirects, Mixed Content, HSTS

HTTP to HTTPS migration guide: certificate, 301 redirect, fixing mixed content, HSTS, canonical URLs, SEO without traffic loss.

HTTP Redirect Chains and Their Impact on SEO

Redirect chains hurt SEO equity, slow loading, and waste crawl budget. How to find and eliminate 301/302 chains with tools and code examples.

Related Headers

Content-Security-Policy

Controls which resources the browser is allowed to load for a page, helping prevent XSS and data injection attacks.

Cross-Origin-Opener-Policy

Isolates the browsing context to prevent cross-origin attacks like Spectre from accessing sensitive data.

Cross-Origin-Resource-Policy

Restricts which origins can load a resource, preventing unauthorized cross-origin reads.

Permissions-Policy

Controls which browser features and APIs can be used on the page, such as camera, microphone, and geolocation.

Referrer-Policy

Controls how much referrer information is included with requests, balancing privacy with analytics needs.

X-Content-Type-Options

Prevents browsers from MIME-sniffing the content type, reducing the risk of drive-by downloads and XSS attacks.

Related guides

Longer-form reading on this topic from the knowledge base.

→ How to Debug nginx Errors — 2026
→ LRU Cache — Least Recently Used
→ RAG (Retrieval-Augmented Generation)

Automate this check

Set up continuous monitoring and get an alert when something breaks. No manual runs to remember.

Start free

HTTP

Start monitoring for free

Create Account API Documentation

Weekly KB digest 10+ new pages a week — SSL errors, ports, glossary, how-tos. No spam.

Website

enterno.io

Website monitoring and analysis tools

SITE AUDIT HTTP Headers Advanced Health Score PageSpeed Security SEO Audit Redirect Chain Broken Links HTTP/2 & HTTP/3 HAR Analyzer HTTP Status Code Checker HTTP Compare

DNS & DOMAIN DNS Lookup DNS Propagation MX Lookup WHOIS Subdomains Reverse IP CMS Detector Tech Stack Detector Screenshot NETWORK & IP Ping Traceroute IP Geolocation ASN Lookup Online Port Scanner API Latency

SECURITY SSL Check CSP CORS Cookie Mixed Content Malware Spam Lists IP Abuse Check RKN Check EMAIL Email Deliverability Email Headers SMTP Relay Test DKIM Generator

SEO & AI Schema Checker OG Preview Keywords Robots.txt Compare Sites AI Readiness llms.txt Carbon DEV TOOLS Formatter JWT Decoder Cron Tester TTL Calculator IP/CIDR Calculator Uptime / SLA Calculator Downtime Cost Batch Heartbeat

ABOUT About us All Tools Pricing API Documentation MCP Server (Claude Desktop) Articles Help Comparisons Referral Program Contact HTTP Headers Reference HTTP Status Codes SSL Errors TCP/UDP Ports Glossary How-to Guides Research Alternatives

4 769 checks total · 27 active monitors · 17 verified users

PHP 8.4 · Hosted on Selectel

Strict-Transport-Security

Syntax

Example

Description

Related Articles

Related Headers

Related guides

Automate this check

Related Articles

Server-Sent Events vs WebSockets: Choosing Real-Time Communication

HTTP 404 Not Found Error: 7 Causes and How to Fix

The Complete HTTP Request Lifecycle: From URL to Rendered Page

Start monitoring for free