Web Security

HSTS (HTTP Strict Transport Security)

About 4 min read

Last updated: 2026-02-18

What Is HSTS

HSTS (HTTP Strict Transport Security) is a security mechanism where a web server instructs the browser to "always use HTTPS for future access to this domain." It is activated by including the Strict-Transport-Security header in HTTP responses.

Without HSTS, when a user accesses http://example.com, communication occurs in plaintext for a brief moment until the server redirects to HTTPS. This moment creates an opportunity for a man-in-the-middle attack (SSL stripping). With HSTS, the browser rewrites HTTP requests to HTTPS before sending them, fundamentally eliminating this attack.

HSTS Configuration and Directives

HSTS is configured with the following response header.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

  • max-age: Duration in seconds for the browser to remember the HSTS policy. 31536000 (1 year) is the recommended value. For initial deployment, start with 300 (5 minutes) or 86400 (1 day) and gradually extend once confirmed safe.
  • includeSubDomains: Applies HSTS to subdomains as well. Verify that all subdomains like api.example.com and cdn.example.com support HTTPS before enabling. Subdomains operating on HTTP only will become inaccessible.
  • preload: A flag indicating intent to register on the HSTS Preload list. This flag alone does not register on the Preload list - a separate application is required.

Among security headers, HSTS has relatively few side effects and can reliably enforce encrypted communication via TLS/SSL, making it a header that should be deployed early on HTTPS-enabled sites.

How the HSTS Preload List Works

Standard HSTS has a "first-visit problem." Since the browser receives the HSTS header on the first HTTPS access, HSTS does not function when a user visits the domain for the very first time.

The HSTS Preload list solves this problem. It is a list of HSTS-enabled domains hardcoded into browsers, and applications can be submitted through hstspreload.org managed by Chrome. Once registered, HTTPS is enforced from the very first visit, even for domains the user has never accessed.

Requirements for Preload list registration:

  • Using a valid digital certificate
  • HTTP to HTTPS redirect is configured
  • max-age is 31536000 (1 year) or more
  • includeSubDomains and preload directives are included

Note that removal from the Preload list takes several months. Carefully verify that all subdomains support HTTPS before registering.

HSTS Deployment Considerations and Gradual Approach

While HSTS is powerful, misconfiguration can render a site inaccessible. The following gradual approach is recommended.

  1. Step 1: Set max-age=300 (5 minutes) and verify the entire site works correctly over HTTPS
  2. Step 2: Extend to max-age=86400 (1 day) and operate for about a week to confirm no issues
  3. Step 3: Expand to max-age=31536000; includeSubDomains
  4. Step 4: Add preload if needed and apply for the Preload list

A particularly important case to watch for: if CDNs or third-party services deliver resources over HTTP, Mixed Content errors will occur after HSTS is applied. Verify that all external resources are delivered over HTTPS before deployment.

Combining with CSP's upgrade-insecure-requests directive automatically rewrites HTTP resource references within the page to HTTPS, mitigating Mixed Content issues during the transition period.

To learn more about this topic, see How HTTPS and TLS Work: The Encryption Behind Secure Communication.

Common Misconceptions

HSTS is unnecessary if you redirect to HTTPS
During the HTTP to HTTPS redirect, the initial request is sent in plaintext. A man-in-the-middle attack (SSL stripping) can succeed during this moment. HSTS rewrites HTTP requests to HTTPS on the browser side, defending against attacks that redirects cannot prevent.
Setting HSTS immediately applies to all users
Standard HSTS only becomes effective after the browser receives the header, so users are not protected on their first visit. To protect all users from the first visit, registration on the HSTS Preload list is required.
Share

Related Terms

TLS/SSL Cryptographic protocols that encrypt internet communications to ensure confident… HTTPS A protocol that adds TLS encryption to HTTP, securing communication between the … Security Header HTTP response headers sent by a web server that instruct the browser to enforce … CSP (Content Security Policy) An HTTP response header that provides a powerful mechanism for restricting the s… Digital Certificate An electronic document issued by a trusted Certificate Authority (CA) that binds… HTTP The foundational protocol for data exchange between web browsers and servers. HT…

Related Articles

How HTTPS and TLS Work: The Encryption Behind Secure Communication Understand how HTTPS and TLS encrypt your communication, the role of certificates, TLS version diffe… HTTP Security Headers: 5 Essential Headers to Protect Your Website An introduction to important HTTP security headers including Content-Security-Policy, Strict-Transpo… Everything That Happens Between Typing a URL and Seeing a Page A step-by-step walkthrough of URL parsing, DNS resolution, TCP three-way handshake, TLS 1.3 handshak…
← Glossary