Sitecheck Your website, fully covered
All terms
Glossary · HSTS

HSTS (HTTP Strict Transport Security)

A response header that forces browsers to use HTTPS for all future requests to a domain.

Sitecheck Team

HTTP Strict Transport Security (HSTS) is a response header, defined in RFC 6797, that tells browsers to only contact a host over HTTPS for a given duration. Once a browser sees the header, it upgrades any future http:// request to https:// automatically and refuses to connect if the certificate is invalid — no click-through bypass.

Why it matters

HSTS closes the gap between a user typing example.com and the server's HTTP-to-HTTPS redirect, which is exactly where SSL-stripping man-in-the-middle attacks happen. It also eliminates accidental mixed-content requests during development. Combined with SSL/TLS hardening and a DNS CAA Record, HSTS gives you a defensible HTTPS-only posture.

How to set it

  • Send Strict-Transport-Security: max-age=31536000; includeSubDomains; preload from every HTTPS response.
  • Start with a small max-age (a few minutes) while you confirm every subdomain serves valid HTTPS, then ramp up to one or two years.
  • Only add includeSubDomains once every host under the domain — including dev, staging, and email tooling — supports HTTPS.
  • Submit the apex domain to the HSTS preload list at hstspreload.org so browsers enforce HTTPS even on the first visit.
  • Pair with a strong CSP and a tight Referrer-Policy for a complete security header set.
  • Verify with curl -I https://example.com or browser DevTools and watch for the header on every response, not just the homepage.

See also