Skip to content

HSTS: Definition, Syntax, and Examples

TL;DR:

HSTS (HTTP Strict Transport Security) is a header that forces the browser to always use HTTPS for a domain, even if the user types http:// or clicks an old http link. Configured with one line: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. Protects against downgrade attacks.

Check your site's security →

What is a HSTS

HSTS (HTTP Strict Transport Security) is a header that forces the browser to always use HTTPS for a domain, even if the user types http:// or clicks an old http link. Configured with one line: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. Protects against downgrade attacks.

Check HSTS online

Use the Enterno.io tool — enter a domain, get results in 1-2 seconds. Free, no signup.

Check →

Understanding HSTS: How It Works

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites from man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. When a user visits a site that implements HSTS, the server sends a special response header, Strict-Transport-Security, which instructs the user's browser to only interact with the site using HTTPS.

Upon receiving this header, the browser will remember this policy for a specified duration (defined by the max-age directive). During this time, any attempt to access the site via HTTP will automatically be redirected to HTTPS, ensuring that all communications are encrypted. This is particularly important for sensitive transactions, such as online banking or e-commerce.

Additionally, HSTS can be configured to include all subdomains of a site by using the includeSubDomains directive. This means that if the main domain has HSTS enabled, all its subdomains will also be required to use HTTPS, further enhancing security.

One of the key benefits of HSTS is that it mitigates the risk of users being tricked into accessing a non-secure version of a site, which could lead to data breaches or credential theft. By enforcing HTTPS, HSTS ensures that users are always protected, making it a crucial part of modern web security practices.

Configuring HSTS: Step-by-Step Guide

Configuring HSTS is a straightforward process that involves adding a simple header to your web server's response. Below are the steps to configure HSTS on different web servers.

  • Apache: To enable HSTS on an Apache server, you need to add the following line to your site's configuration file (e.g., .htaccess or the main httpd.conf):
  • Header always set Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'
  • Nginx: For Nginx, you can add the HSTS header in your server block:
  • add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
  • IIS: On Internet Information Services (IIS), you can configure HSTS by adding the header in the web.config file:

Once you have added the header, it is crucial to test the configuration to ensure it is correctly implemented. You can use online tools like HSTS Preload List Submission or browser developer tools to verify that the header is present in the HTTP response.

Keep in mind that once HSTS is enabled, it can have a lasting impact on how users access your site. Therefore, it is advisable to start with a shorter max-age value (e.g., 300 seconds) during testing, and once you are confident in the setup, you can increase it to the recommended duration (one year).

Common HSTS Misconfigurations and How to Avoid Them

While HSTS is a powerful security feature, misconfigurations can lead to significant issues. Below are common pitfalls and best practices to avoid them:

  • Forgetting to Use HTTPS: Before enabling HSTS, ensure that your site is fully accessible via HTTPS. If users attempt to access your site over HTTP after enabling HSTS, they will encounter errors. Always test your HTTPS configuration thoroughly.
  • Incorrect Max-Age Values: Setting the max-age value too low may not provide adequate protection, while setting it too high can lock users out of your site if there are issues with HTTPS. Start with a moderate value and adjust as needed.
  • Not Including Subdomains: If your site has subdomains that also require HTTPS, ensure you include the includeSubDomains directive. Failing to do so can leave those subdomains vulnerable.
  • Neglecting to Test: After configuration, it’s essential to verify that HSTS is working as intended. Use browser developer tools to check for the presence of the HSTS header and validate that the policy is enforced.
  • Not Utilizing Preload: If your site is eligible, consider submitting it to the HSTS preload list. This ensures that browsers will enforce HSTS for your domain even on the first visit, which is crucial for preventing downgrade attacks.

By understanding these common misconfigurations and following best practices, you can effectively implement HSTS and enhance the security of your web applications.

HeadersCSP, HSTS, X-Frame-Options, etc.
SSL/TLSEncryption and certificate
ConfigurationServer settings and leaks
Grade A-FOverall security score

Why teams trust us

OWASP
guidelines
15+
security headers
<2s
result
A–F
security grade

How it works

1

Enter site URL

2

Security headers analyzed

3

Get grade A–F

What Does the Security Analysis Check?

The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.

Header Analysis

Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.

SSL Check

TLS version, certificate expiry, chain of trust, HSTS support.

Leak Detection

Finding exposed server versions, debug modes, open configs, and directories.

Report with Recommendations

Detailed report explaining each issue with specific steps to fix it.

Who uses this

Security teams

HTTP header audit

DevOps

config verification

Developers

CSP & HSTS setup

Auditors

compliance checks

Common Mistakes

Missing Content-Security-PolicyCSP is the primary XSS defense. Without it, script injection is much easier.
Missing HSTS headerWithout HSTS, HTTPS-to-HTTP downgrade attacks are possible. Enable Strict-Transport-Security.
Server header exposes versionServer: Apache/2.4.52 helps attackers find exploits. Hide the version.
X-Frame-Options not setSite can be embedded in iframe for clickjacking. Set DENY or SAMEORIGIN.
Missing X-Content-Type-OptionsWithout nosniff, browsers may misinterpret file types (MIME sniffing).

Best Practices

Start with basic headersMinimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Takes 5 minutes.
Implement CSP graduallyStart with Content-Security-Policy-Report-Only, monitor violations, then enforce.
Hide server headersRemove Server, X-Powered-By, X-AspNet-Version from responses.
Configure Permissions-PolicyRestrict camera, microphone, geolocation access — only what is actually used.
Check after every deploySecurity headers can be overwritten during server configuration updates.

Get more with a free account

Security check history and HTTP security header monitoring.

Sign up free

Learn more

Frequently Asked Questions

How does HSTS differ from similar concepts?

See the full breakdown in the article above. For a quick check, use our online tool.

Does this need manual updates?

Usually no — most modern services configure it automatically. Manual setup is only needed for migrations or exotic configurations.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.