HSTS Header (Strict-Transport-Security) Explained

The HSTS header (HTTP Strict Transport Security) tells browsers to always use HTTPS when connecting to your website. By enforcing encrypted connections, the Strict-Transport-Securityresponse header protects visitors from downgrade attacks, cookie hijacking, and insecure redirects.

What is the HSTS Header?

HSTS is a security policy delivered via the Strict-Transport-Security header. Once a browser sees it, the browser caches the rule and refuses to load your site over HTTP for a set period of time. This ensures every visit is encrypted and helps search engines trust your site’s HTTPS configuration.

HSTS Header Syntax

The header supports a few key directives that control its behavior:

• max-age sets how long (in seconds) browsers should remember to force HTTPS.
• includeSubDomains applies the rule to all subdomains.
• preload allows your domain to be added to the browser preload list.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Why HSTS Matters for Security and SEO

HTTPS is a known ranking factor, and HSTS helps ensure every visit stays on the secure version of your site. It prevents insecure redirects, reduces mixed-content warnings, and signals that your HTTPS implementation is stable — all of which improve user trust and search visibility.

How to Enable the HSTS Header

1. Install a valid TLS certificate and redirect all HTTP traffic to HTTPS.
2. Set the Strict-Transport-Security header on HTTPS responses.
3. Start with a shorter max-age, then increase to one year once verified.
4. Enable includeSubDomains only after confirming all subdomains support HTTPS.
5. Submit your domain to the HSTS preload list when ready.

Nginx Example

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Apache Example

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Test and Monitor Your HSTS Configuration

After enabling HSTS, confirm that the header is sent correctly and that all HTTPS redirects behave as expected. Use these tools to validate your setup:

• HSTS Checker to verify the Strict-Transport-Security header.
• Security Headers Scanner for a full header audit.
• HTTP Header Checker to inspect response headers in detail.

Common HSTS Mistakes to Avoid

• Setting a long max-age before every subdomain supports HTTPS.
• Forgetting to serve the header on all HTTPS responses.
• Submitting to the preload list without verifying long-term HTTPS readiness.

Key Takeaways

• The HSTS header forces HTTPS and blocks insecure requests.
• Use max-age, includeSubDomains, and preload thoughtfully.
• Testing and monitoring protect users and improve SEO trust signals.