HTTP Strict Transport Security (HSTS) is a response header, defined in RFC 6797, that tells browsers to only contact a host over HTTPS for a given duration. Once a browser sees the header, it upgrades any future http:// request to https:// automatically and refuses to connect if the certificate is invalid — no click-through bypass.
Why it matters
HSTS closes the gap between a user typing example.com and the server's HTTP-to-HTTPS redirect, which is exactly where SSL-stripping man-in-the-middle attacks happen. It also eliminates accidental mixed-content requests during development. Combined with SSL/TLS hardening and a DNS CAA Record, HSTS gives you a defensible HTTPS-only posture.
How to set it
- Send
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadfrom every HTTPS response. - Start with a small
max-age(a few minutes) while you confirm every subdomain serves valid HTTPS, then ramp up to one or two years. - Only add
includeSubDomainsonce every host under the domain — including dev, staging, and email tooling — supports HTTPS. - Submit the apex domain to the HSTS preload list at hstspreload.org so browsers enforce HTTPS even on the first visit.
- Pair with a strong CSP and a tight Referrer-Policy for a complete security header set.
- Verify with
curl -I https://example.comor browser DevTools and watch for the header on every response, not just the homepage.