To enable HSTS: add the header Strict-Transport-Security: max-age=31536000; includeSubDomains; preload in nginx (add_header) or Apache (Header set). For hstspreload.org inclusion — all subdomains must also serve HSTS and HTTPS.
Free online tool — website security scanner: instant results, no signup.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. By enforcing HTTPS connections, HSTS ensures that all communications between the user and the server are encrypted, enhancing the overall security of your site.
When HSTS is enabled, browsers are instructed to only communicate with the server using HTTPS, effectively preventing any communication over unencrypted HTTP. This is crucial for any website, especially those handling sensitive user data such as login credentials, payment information, or personal details.
Additionally, enabling HSTS can improve your site's SEO performance, as search engines like Google prioritize secure websites in their rankings. Implementing HSTS can be a decisive factor in building trust with your users, as they can be confident that their data is being transmitted securely.
To summarize, enabling HSTS on your site is vital for:
Enabling HSTS on your web server can be done with a few simple commands. Below are practical examples for both Nginx and Apache configurations.
To enable HSTS in Nginx, you need to edit your server block configuration file (usually located in /etc/nginx/sites-available/ or /etc/nginx/conf.d/). Add the following line within the server {} block:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";Make sure to test your Nginx configuration with:
nginx -tIf the test is successful, reload Nginx to apply changes:
systemctl reload nginxFor Apache, you can enable HSTS by adding the following line to your site's configuration file (usually located in /etc/httpd/conf/httpd.conf or /etc/apache2/sites-available/). Place it within the appropriate <VirtualHost *:443> block:
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"After adding the header, ensure to test your Apache configuration:
apachectl configtestIf the configuration is valid, restart Apache to apply the changes:
systemctl restart apache2Following these steps will successfully enable HSTS on your web server, enhancing the security of your site.
While enabling HSTS is crucial for securing your website, it's equally important to configure it correctly. Here are some common misconfigurations to avoid:
The max-age directive specifies how long browsers should remember that a site should only be accessed over HTTPS. Setting it too short can lead to security vulnerabilities during that time. A recommended value is 31536000 seconds (1 year), which balances security and flexibility.
If your website has multiple subdomains, ensure you include the includeSubDomains directive. This ensures that all subdomains are also protected by HSTS. Omitting this can leave certain parts of your site vulnerable.
When opting for the preload directive, ensure your site meets the criteria for hstspreload.org inclusion. This includes serving HSTS for all subdomains and ensuring your site is accessible via HTTPS before submission.
Always test your configuration after enabling HSTS. Use tools such as SSL Labs or browser developer tools to verify that the HSTS header is set correctly and that it meets your intended security parameters.
By avoiding these common pitfalls, you can ensure that your implementation of HSTS effectively secures your website and protects your users.
The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.
Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.
TLS version, certificate expiry, chain of trust, HSTS support.
Finding exposed server versions, debug modes, open configs, and directories.
Detailed report explaining each issue with specific steps to fix it.
HTTP header audit
config verification
CSP & HSTS setup
compliance checks
Strict-Transport-Security.Server: Apache/2.4.52 helps attackers find exploits. Hide the version.DENY or SAMEORIGIN.nosniff, browsers may misinterpret file types (MIME sniffing).Content-Security-Policy-Report-Only, monitor violations, then enforce.Server, X-Powered-By, X-AspNet-Version from responses.Security check history and HTTP security header monitoring.
Sign up freeNo for quick check. For continuous monitoring — free account.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.