HSTS (HTTP Strict Transport Security) is a header that forces the browser to always use HTTPS for a domain, even if the user types http:// or clicks an old http link. Configured with one line: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. Protects against downgrade attacks.
Free online tool — website security scanner: instant results, no signup.
HSTS (HTTP Strict Transport Security) is a header that forces the browser to always use HTTPS for a domain, even if the user types http:// or clicks an old http link. Configured with one line: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. Protects against downgrade attacks.
Use the Enterno.io tool — enter a domain, get results in 1-2 seconds. Free, no signup.
HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites from man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. When a user visits a site that implements HSTS, the server sends a special response header, Strict-Transport-Security, which instructs the user's browser to only interact with the site using HTTPS.
Upon receiving this header, the browser will remember this policy for a specified duration (defined by the max-age directive). During this time, any attempt to access the site via HTTP will automatically be redirected to HTTPS, ensuring that all communications are encrypted. This is particularly important for sensitive transactions, such as online banking or e-commerce.
Additionally, HSTS can be configured to include all subdomains of a site by using the includeSubDomains directive. This means that if the main domain has HSTS enabled, all its subdomains will also be required to use HTTPS, further enhancing security.
One of the key benefits of HSTS is that it mitigates the risk of users being tricked into accessing a non-secure version of a site, which could lead to data breaches or credential theft. By enforcing HTTPS, HSTS ensures that users are always protected, making it a crucial part of modern web security practices.
Configuring HSTS is a straightforward process that involves adding a simple header to your web server's response. Below are the steps to configure HSTS on different web servers.
.htaccess or the main httpd.conf):Header always set Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always; web.config file: Once you have added the header, it is crucial to test the configuration to ensure it is correctly implemented. You can use online tools like HSTS Preload List Submission or browser developer tools to verify that the header is present in the HTTP response.
Keep in mind that once HSTS is enabled, it can have a lasting impact on how users access your site. Therefore, it is advisable to start with a shorter max-age value (e.g., 300 seconds) during testing, and once you are confident in the setup, you can increase it to the recommended duration (one year).
While HSTS is a powerful security feature, misconfigurations can lead to significant issues. Below are common pitfalls and best practices to avoid them:
max-age value too low may not provide adequate protection, while setting it too high can lock users out of your site if there are issues with HTTPS. Start with a moderate value and adjust as needed.includeSubDomains directive. Failing to do so can leave those subdomains vulnerable.By understanding these common misconfigurations and following best practices, you can effectively implement HSTS and enhance the security of your web applications.
The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.
Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.
TLS version, certificate expiry, chain of trust, HSTS support.
Finding exposed server versions, debug modes, open configs, and directories.
Detailed report explaining each issue with specific steps to fix it.
HTTP header audit
config verification
CSP & HSTS setup
compliance checks
Strict-Transport-Security.Server: Apache/2.4.52 helps attackers find exploits. Hide the version.DENY or SAMEORIGIN.nosniff, browsers may misinterpret file types (MIME sniffing).Content-Security-Policy-Report-Only, monitor violations, then enforce.Server, X-Powered-By, X-AspNet-Version from responses.Security check history and HTTP security header monitoring.
Sign up freeSee the full breakdown in the article above. For a quick check, use our online tool.
Usually no — most modern services configure it automatically. Manual setup is only needed for migrations or exotic configurations.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.