HSTS: HTTP Strict Transport Security

Force HTTPS connections and protect your visitors from downgrade attacks.

HSTS (HTTP Strict Transport Security) is a security mechanism that forces browsers to use exclusively HTTPS to communicate with your site. Once the HSTS header is received, the browser will refuse any HTTP connection for the specified duration, even if the user explicitly types http://.

HSTS protects against several types of attacks, including man-in-the-middle (MITM) attacks that attempt to downgrade the connection from HTTPS to HTTP. Without HSTS, an attacker on a public WiFi network could intercept the first HTTP request before the redirect to HTTPS.

This guide explains how to configure HSTS correctly, precautions to take, and how to submit your domain to the preload list for maximum protection.

HSTS Benefits

HSTS provides several security benefits:

  • Downgrade protection: prevents attackers from forcing an insecure HTTP connection. All requests are automatically converted to HTTPS.
  • MITM elimination: even on an unsecured WiFi network, an attacker cannot intercept the first HTTP request.
  • Improved performance: avoids HTTP→HTTPS redirect. The browser goes directly to HTTPS, saving a network round trip.
  • User trust: browsers may display an additional indicator for HSTS sites, reinforcing trust.

HSTS Header Configuration

The HSTS header consists of several directives:

  • max-age: duration in seconds the browser should force HTTPS. 31536000 (1 year) is recommended.
  • includeSubDomains: applies HSTS to all subdomains. Caution: all your subdomains must support HTTPS.
  • preload: indicates you want to be added to the browsers' preload list. Requires both other directives.
  • Full syntax: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Configuration Steps

Follow these steps to enable HSTS progressively:

  1. Verify HTTPS everywhere: ensure your site and all subdomains work correctly in HTTPS without errors.
  2. Start with short max-age: use max-age=300 (5 minutes) for testing. If everything works, gradually increase.
  3. Add includeSubDomains: once certain all subdomains support HTTPS, add this directive.
  4. Increase to 1 year and add preload: once stable, switch to max-age=31536000 and add preload for preload list submission.

Server HSTS Configuration

How to configure HSTS on common servers:

# Nginx
server {
    listen 443 ssl http2;
    # ... SSL configuration ...

    # HSTS header (adjust max-age progressively)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
}

# Apache (.htaccess or vhost)
<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>

# PHP (in your application)
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload");

# Verify with curl
curl -I https://example.com | grep -i strict

The header should only be sent on HTTPS responses (not HTTP). Use "always" in Nginx to include it even on errors.

HSTS Best Practices

Avoid problems with these recommendations:

  • Gradual progression: start with short max-age and increase progressively. A mistake with long max-age can block access to your site.
  • Test all subdomains: before adding includeSubDomains, verify that EVERY subdomain has a valid SSL certificate.
  • Plan SSL renewal: with HSTS, an expired certificate is even more problematic. Ensure renewal is automatic.
  • Document your configuration: note when you enabled HSTS and with what parameters. The preload list is hard to leave.

HSTS Checklist

  • All subdomains support HTTPS
  • No mixed content on site
  • HTTP→HTTPS redirect in place
  • HSTS header tested with short max-age
  • max-age increased progressively
  • Preload list submission (optional)

Frequently Asked Questions

What happens if my certificate expires with HSTS active?

Visitors won't be able to access your site at all. The browser will refuse any non-HTTPS connection and the SSL error will prevent HTTPS access.

Can I disable HSTS once enabled?

You can send max-age=0 to ask browsers to forget HSTS. But visitors who already received the old header will have to wait for it to expire.

What is the preload list?

A list of HSTS domains built into browsers. Your site will be HTTPS from the first visit, without waiting for the first header.

How do I leave the preload list?

Submit a removal request at hstspreload.org. The process takes several months because browser updates are slow.

Does HSTS work with dynamic subdomains?

Yes, but each subdomain must have a valid certificate. A wildcard SSL is recommended in this case.

Does MoniTao check the HSTS header?

MoniTao checks SSL certificate validity. For HSTS, use securityheaders.com to analyze your security headers.

Secure with HSTS

HSTS is an essential security layer for any HTTPS site. Configure it progressively and carefully to avoid blocking access to your site.

With HSTS and MoniTao SSL monitoring, your site is protected from downgrade attacks and you're alerted before any certificate expiration.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing