Skip to content

How to Enable HSTS on nginx and Apache

TL;DR:

To enable HSTS: add the header Strict-Transport-Security: max-age=31536000; includeSubDomains; preload in nginx (add_header) or Apache (Header set). For hstspreload.org inclusion — all subdomains must also serve HSTS and HTTPS.

Check your site's security →

Step-by-step guide

  1. Check current HSTS. Open /en/security, enter domain. Grade < A often means missing or wrong HSTS.
  2. nginx — add header. In the 443 server block: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
  3. Apache — via mod_headers. Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  4. Check all subdomains. If you have www, api, status, blog — each must serve HSTS. Otherwise preload submission will fail.
  5. Submit to hstspreload.org. Fill the form at hstspreload.org. Review takes 1-2 months. Then you land in Chrome's built-in list.

Open tool →

Understanding HSTS and Its Importance

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. By enforcing HTTPS connections, HSTS ensures that all communications between the user and the server are encrypted, enhancing the overall security of your site.

When HSTS is enabled, browsers are instructed to only communicate with the server using HTTPS, effectively preventing any communication over unencrypted HTTP. This is crucial for any website, especially those handling sensitive user data such as login credentials, payment information, or personal details.

Additionally, enabling HSTS can improve your site's SEO performance, as search engines like Google prioritize secure websites in their rankings. Implementing HSTS can be a decisive factor in building trust with your users, as they can be confident that their data is being transmitted securely.

To summarize, enabling HSTS on your site is vital for:

  • Enhancing Security: Protects against various attacks.
  • Improving SEO: Boosts your site's visibility in search results.
  • Building Trust: Provides assurance to users regarding data safety.

Practical Commands to Enable HSTS on Nginx and Apache

Enabling HSTS on your web server can be done with a few simple commands. Below are practical examples for both Nginx and Apache configurations.

Nginx Configuration

To enable HSTS in Nginx, you need to edit your server block configuration file (usually located in /etc/nginx/sites-available/ or /etc/nginx/conf.d/). Add the following line within the server {} block:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

Make sure to test your Nginx configuration with:

nginx -t

If the test is successful, reload Nginx to apply changes:

systemctl reload nginx

Apache Configuration

For Apache, you can enable HSTS by adding the following line to your site's configuration file (usually located in /etc/httpd/conf/httpd.conf or /etc/apache2/sites-available/). Place it within the appropriate <VirtualHost *:443> block:

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

After adding the header, ensure to test your Apache configuration:

apachectl configtest

If the configuration is valid, restart Apache to apply the changes:

systemctl restart apache2

Following these steps will successfully enable HSTS on your web server, enhancing the security of your site.

Common HSTS Misconfigurations to Avoid

While enabling HSTS is crucial for securing your website, it's equally important to configure it correctly. Here are some common misconfigurations to avoid:

1. Setting Too Short Max-Age

The max-age directive specifies how long browsers should remember that a site should only be accessed over HTTPS. Setting it too short can lead to security vulnerabilities during that time. A recommended value is 31536000 seconds (1 year), which balances security and flexibility.

2. Failing to Include Subdomains

If your website has multiple subdomains, ensure you include the includeSubDomains directive. This ensures that all subdomains are also protected by HSTS. Omitting this can leave certain parts of your site vulnerable.

3. Not Using Preload Correctly

When opting for the preload directive, ensure your site meets the criteria for hstspreload.org inclusion. This includes serving HSTS for all subdomains and ensuring your site is accessible via HTTPS before submission.

4. Not Testing After Configuration

Always test your configuration after enabling HSTS. Use tools such as SSL Labs or browser developer tools to verify that the HSTS header is set correctly and that it meets your intended security parameters.

By avoiding these common pitfalls, you can ensure that your implementation of HSTS effectively secures your website and protects your users.

HeadersCSP, HSTS, X-Frame-Options, etc.
SSL/TLSEncryption and certificate
ConfigurationServer settings and leaks
Grade A-FOverall security score

Why teams trust us

OWASP
guidelines
15+
security headers
<2s
result
A–F
security grade

How it works

1

Enter site URL

2

Security headers analyzed

3

Get grade A–F

What Does the Security Analysis Check?

The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.

Header Analysis

Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.

SSL Check

TLS version, certificate expiry, chain of trust, HSTS support.

Leak Detection

Finding exposed server versions, debug modes, open configs, and directories.

Report with Recommendations

Detailed report explaining each issue with specific steps to fix it.

Who uses this

Security teams

HTTP header audit

DevOps

config verification

Developers

CSP & HSTS setup

Auditors

compliance checks

Common Mistakes

Missing Content-Security-PolicyCSP is the primary XSS defense. Without it, script injection is much easier.
Missing HSTS headerWithout HSTS, HTTPS-to-HTTP downgrade attacks are possible. Enable Strict-Transport-Security.
Server header exposes versionServer: Apache/2.4.52 helps attackers find exploits. Hide the version.
X-Frame-Options not setSite can be embedded in iframe for clickjacking. Set DENY or SAMEORIGIN.
Missing X-Content-Type-OptionsWithout nosniff, browsers may misinterpret file types (MIME sniffing).

Best Practices

Start with basic headersMinimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Takes 5 minutes.
Implement CSP graduallyStart with Content-Security-Policy-Report-Only, monitor violations, then enforce.
Hide server headersRemove Server, X-Powered-By, X-AspNet-Version from responses.
Configure Permissions-PolicyRestrict camera, microphone, geolocation access — only what is actually used.
Check after every deploySecurity headers can be overwritten during server configuration updates.

Get more with a free account

Security check history and HTTP security header monitoring.

Sign up free

Learn more

Frequently Asked Questions

Signup required?

No for quick check. For continuous monitoring — free account.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.