HTTP Strict Transport Security (HSTS) is a security header that tells browsers to only connect to your site over HTTPS, even if the user types http:// in the address bar.
When a browser receives an HSTS header, it remembers that your site must use HTTPS for a specified period. Any attempt to load an HTTP version is automatically rewritten to HTTPS before the request is sent. This prevents man-in-the-middle attacks where an attacker intercepts the initial HTTP connection.
Without HSTS, the first connection to your site could be downgraded to HTTP even if HTTPS is available. An attacker on the same network could intercept that first request and redirect the user to a fake version of your site. HSTS eliminates this window of vulnerability.
HSTS is enabled by adding the Strict-Transport-Security header to your server responses. The header includes a max-age directive that specifies how long (in seconds) the browser should remember to use HTTPS. A typical value is 31536000 (one year).
Example header: Strict-Transport-Security: max-age=31536000; includeSubDomains. The includeSubDomains flag applies the rule to all subdomains. The preload directive allows your site to be included in browser HSTS preload lists for protection from the very first visit.
Browser vendors maintain HSTS preload lists � hardcoded lists of sites that must always be served over HTTPS. Submitting your site to the preload list (at hstspreload.org) ensures that even the very first visit from a fresh browser install is protected. The preload list is used by Chrome, Firefox, Safari, Edge, and Opera.
Preloading requires: a valid HTTPS certificate on all subdomains, the HSTS header with max-age of at least 31536000, includeSubDomains enabled, and a preload directive. Once added, removal is extremely difficult � confirm everything works before submitting.
Every site audit inspects your HSTS header configuration. We verify the header is present, check the max-age value, confirm includeSubDomains is set correctly, and test whether preloading is properly configured.
Our free audit covers security, SEO, performance, mobile, design, and content.
Get your free audit